Lean multiplication of multi-precision numbers over GF(2m)

ABSTRACT

Multi-precision multiplication methods over GF(2 m ) include representing a first polynomial and a second polynomial as an array of n words. A recursive algorithm may be used to iteratively decompose the multiplication into a weighted sum of smaller subproducts. When the size of the smaller subproducts is less than or equal to a predetermined size, a nonrecursive algorithm may be used to complete the multiplication. The nonrecursive algorithm may be optimized to efficiently perform the bottom-end multiplication. For example, pairs of redundant subproducts can be identified and excluded from the nonrecursive algorithm. Moreover, subproducts having weights in a special form may be efficiently calculated by a process that involves storing and reusing intermediate calculations.

CROSS REFERENCE TO RELATED APPLICATIONS

[0001] This application claims the benefit of U.S. Provisional PatentApplication No. 60/401,574, filed Aug. 6, 2002, and U.S. ProvisionalPatent Application No. 60/419,204, filed Oct. 16, 2002, both of whichare incorporated herein by reference.

FIELD OF INVENTION

[0002] This application relates to the efficient multiplication of largenumbers in a variety of different environments, including cryptography.

BACKGROUND

[0003] Performing mathematical operations on large numbers can be atime-consuming and resource-intensive process. One method of handlinglarge numbers involves dividing the numbers into smaller divisions, orwords, having a fixed length. Numbers divided in this manner are termed“multi-precision” numbers. In the field of digital circuits, forinstance, the binary representation of a large number can be stored inmultiple words, wherein each word has a fixed length of n bits dependingon the word size supported by the associated hardware or software.Although adding and subtracting multi-precision numbers can be performedrelatively efficiently, multi-precision multiplication is much morecomplex and creates a significant bottleneck in applications usingmulti-precision arithmetic.

[0004] One area that is affected by the complexity of multi-precisionmultiplication is cryptography. Many cryptographic algorithms, includingthe Diffie-Hellman key exchange algorithm, elliptic curve cryptography,and the Elliptic Curve Digital Signature Algorithm (ECDSA), involve themulti-precision multiplication of very large numbers. For example,elliptic curve systems perform multi-precision arithmetic on 128- to256-bit numbers, while systems based on exponentiation may employ 1024-to 2048-bit numbers.

[0005] Many cryptographic applications use finite field arithmetic. Forexample, elliptic curve cryptography typically operates in the finitefield GF(2^(m)). The multiplication operation in finite-fieldapplications can be particularly slow and inefficient. Severaltechniques have been proposed to perform fast arithmetic operations overGF(2^(m)). One technique, for example, uses an optimized normal basisrepresentation. See R. Mullin et al., Optimal Normal Bases in GF(p^(n)),Discrete Applied Mathematics, Vol. 22, pp. 149-161 (1988). Althoughoptimal normal basis multiplication is efficient in hardware, it is notefficient in software, and an optimal normal basis representation doesnot exist for all field sizes. Another technique involves embeddingGF(2^(m)) in a larger ring R_(p) where the arithmetic operations can beperformed efficiently. See J. H. Silverman, Fast Multiplication inFinite Field GF(2^(N)), Cryptographic Hardware and Embedded Systems, pp.122-134 (1999). This method, however, works only when m+1 is a prime,and 2 is a primitive root modulo m+1. Another technique involves using astandard basis with coefficients in a subfield GF(2^(r)). See E. De Winet al., A Fast Software Implementation for Arithmetic Operations inGF(2^(n)), Advances in Cryptology—ASIACRYPT 96, pp. 65-76 (1996); J.Guajardo and C. Paar, Fast Efficient Algorithms for Elliptic CurveCryptosystems, Advances in Cryptology—CRYPTO 97, pp. 342-356 (1997); andC. Paar and P. Soria-Rodriguez, Fast Arithmetic Architectures forPublic-Key Algorithms Over Galois Fields GF((2^(n))^(m)), Advances inCryptology—EUROCRYPT 97, pp. 363-378 (1997). In this method, however,the field size m must be a multiple of r, and look-up tables arerequired to perform the calculations in GF(2^(r)). Still anothertechnique involves adapting Montgomery multiplication for the fieldsGF(2^(m)). See C. Koc and T. Acar, Montgomery Multiplication inGF(2^(k)), Designs, Codes and Cryptography, 14(1):57-69 (April 1998).

[0006] In order to improve the performance of these and othercryptographic systems, improved multi-precision multiplication methodsand apparatus are needed.

SUMMARY

[0007] Methods and apparatus for multiplying multi-precision numbersover GF(2^(m)) using a polynomial representation are disclosed. Thedisclosed methods may be used in a number of different applications thatutilize multi-precision arithmetic. For example, the method can be usedto generate various cryptographic parameters. In one particularimplementation, for instance, a private key and a base point aremultiplied using one of the disclosed methods to obtain a product thatis associated with a public key. In this implementation, the private keyand the base point are multi-precision polynomials. The disclosedmethods may similarly be used in a signature generation or signatureverification process (e.g., the Elliptic Curve Digital SignatureAlgorithm (ECDSA)).

[0008] In an exemplary embodiment, a method is disclosed that includesrepresenting the first polynomial and the second polynomial as an arrayof n words, wherein n is an integer. A recursive algorithm is used todecompose a multiplication of the first polynomial and the secondpolynomial into a weighted sum of iteratively smaller subproducts. Anonrecursive algorithm is used to complete the multiplication when asize of the smaller subproducts is less than or equal to a predeterminedsize, the predetermined size being at least two words. The recursivemultiplication algorithm may be, for instance, a Karatsuba-Ofmanalgorithm, and the predetermined size may be, for example, six words.The nonrecursive multiplication algorithm may be optimized so that itoperates more efficiently. For example, the nonrecursive algorithm mayexclude pairs of redundant subproducts, or store and reuse previouslycalculated intermediate values. The previously calculated intermediatevalues may be part of a weighted sum of subproducts having specialweights. For example, these subproducts may have weights z of the formΣ_(j=0) ^(n−1) z^(i+j) for i=0, . . . , n−1, where i and j are indexintegers.

[0009] In another exemplary embodiment, a method of nonrecursivelymultiplying a first polynomial and a second polynomial over GF(2) isdisclosed. A first polynomial and a second polynomial are represented asn words, where n is an integer greater than one. A partial result isdetermined by calculating a weighted sum of one-word subproducts havingweights z of the form Σ_(j=0) ^(n−1) z^(i+j) for i=0, . . . , n−1,wherein i and j are index integers. The partial result is updated byadding any remaining one-word subproducts. The method may also includeidentifying and excluding pairs of redundant one-word subproducts.Moreover, during the calculation of the partial result, intermediatecalculations may be stored in a memory and reused.

[0010] In yet another exemplary embodiment, a method of deriving analgorithm for multiplying a first polynomial and a second polynomialover GF(2) is disclosed. The product of a first polynomial and a secondpolynomial is decomposed into a weighted sum of one-word subproducts.Pairs of redundant one-word subproducts are identified and removed fromthe weighted sum, resulting in a revised weighted sum having fewer XORoperations. In one particular implementation, the first or secondpolynomial is padded with zeros so that the polynomial has an evennumber of words. In this implementation, the zero-padded polynomials maybe excluded from the revised weighted sum. In another implementation,the one-word subproducts having weights z of a form Σ_(j=0) ^(n−1)z^(i+j) for i=0, . . . , n−1 are identified. These one-word subproductscan be calculated in a weighted sum by a process of storing and reusingthe intermediate calculations.

[0011] The disclosed methods may be implemented in a variety ofdifferent software and hardware environments. Any of the disclosedmethods may be implemented, for example, as a set of computer-executableinstructions stored on a computer-readable medium.

[0012] These and other features of the disclosed technology aredescribed below with reference to the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

[0013]FIG. 1 is a flowchart showing a general method of multiplyingmulti-precision polynomials over GF(2^(m)).

[0014]FIG. 2 is a block diagram of an exemplary recursion tree havingtwo levels of recursion.

[0015]FIG. 3 is a block diagram of an exemplary recursion tree havingthree levels of recursion.

[0016]FIG. 4 is a block diagram showing a selected path on the recursiontree of FIG. 3. FIG. 5 is a flowchart showing a general method ofnonrecursively multiplying multi-precision polynomials over GF(2^(m)).

[0017]FIG. 6 is a first block diagram illustrating the operation of themethod of FIGS. 1 and 5 using the recursion tree of FIG. 2.

[0018]FIG. 7 is a second block diagram illustrating the operation of themethod of FIGS. 1 and 5 using the recursion tree of FIG. 2.

[0019]FIG. 8 is a third block diagram illustrating the operation of themethod of FIGS. 1 and 5 using the recursion tree of FIG. 2.

[0020]FIG. 9 is a block diagram of a general-purpose computer configuredto perform multi-precision multiplication according to the disclosedmethods.

[0021]FIG. 10 is a block diagram of a cryptographic system configured toperform multi-precision multiplication according to the disclosedmethods and to output a cryptographic parameter.

DETAILED DESCRIPTION

[0022] Disclosed below are representative embodiments that should not beconstrued as limiting in any way. Instead, the present disclosure isdirected toward novel and nonobvious features and aspects of the variousembodiments of the multi-precision multiplication methods and apparatusdescribed below. The disclosed features and aspects can be used alone orin novel and nonobvious combinations and sub-combinations with oneanother.

[0023] Although the operations of the disclosed methods are described ina particular, sequential order for the sake of presentation, it shouldbe understood that this manner of description encompasses minorrearrangements, unless a particular ordering is required. For example,operations described sequentially may in some cases be rearranged orperformed concurrently. Moreover, for the sake of simplicity, thedisclosed flowcharts typically do not show the various ways in whichparticular methods can be used in conjunction with other methods.Moreover, for the sake of presentation, the detailed descriptionsometimes uses terms like “determine” and “obtain” to describe thedisclosed methods. These terms are high-level abstractions of the actualoperations that are performed by a computer or digital circuit. Theactual operations that correspond to these terms will vary depending onthe particular implementation and are readily discernible by one ofordinary skill in the art.

[0024] As more fully described below, the disclosed methods can beimplemented in a variety of different environments, including ageneral-purpose computer, an application-specific computer or in variousother environments known in the art. The particular environmentsdiscussed, however, should not be construed to limit the scope of use orfunctionality of the disclosed methods.

[0025] General Considerations

[0026] The elements in GF(2^(m)) can be represented in various bases.For purposes of this disclosure, the standard basis representation forGF(2^(m)) is used. In the standard basis, the field elements arerepresented as polynomials in the form a(x)=a₀+a₁x+. . . +a_(m−1)x^(m−1)where all a_(i) are elements of GF(2^(m)). The operations on theseelements are performed modulo a fixed irreducible polynomial of degreem. Thus, standard basis multiplication in GF(2^(m)) has two phases. Thefirst phase consists of multiplying two polynomials over GF(2^(m)) andthe second phase consists of reducing the result modulo an irreduciblepolynomial of degree m. The complexity of standard polynomialmultiplication is O(m²). Modulo reduction can be an even moretime-consuming operation because it involves division.

[0027] As seen, both phases of standard basis multiplication inGF(2^(m)) are quite costly. The cost of the first phase can be decreasedby using the Karatsuba-Ofman Algorithm (KOA) to multiply the polynomialsover GF(2^(m)). The KOA is a multiplication algorithm whose asymptoticcomplexity is O(m^(1.58)). Thus, its computational cost is less than thestandard O(m²) multiplication for large m values. The second phase canalso be decreased by choosing an irreducible polynomial with a smallnumber of terms. In particular, a trinomial or pentanomial can be usedas the irreducible polynomial. A trinomial is a polynomial 1+x^(a)+x^(m)with only three terms, while a pentanomial is a polynomial1+x^(a)+x^(b)+x^(c)+x^(m) with only five terms. The complexity of themodulo reduction operation with a trinomial or a pentanomial is O(m).Further, a trinomial or a pentanomial can be found for any field sizem<1000.

[0028] Combining the KOA and modulo reduction with a trinomial orpentanomial yields a fast multiplication method for GF(2^(m)). This fastmultiplication method works for all field sizes. As more fully discussedbelow, the first phase of this method (i.e., the phase in which thepolynomials over GF(2^(m)) are multiplied using the KOA) can be improvedeven further.

[0029] Polynomials Over GF(2^(m)) and Notation

[0030] The coefficients of the polynomials over GF(2^(m)) are 0 or 1 andoperations on these coefficients are performed according to modulo twoarithmetic. Thus, addition and subtraction of the coefficients isequivalent to performing XOR operations. As a result, the addition andsubtraction of two polynomials can be performed by XORing thecorresponding coefficients. Note that polynomial multiplication alsodepends on the XOR addition/subtraction operation because polynomialmultiplication involves a series of coefficient additions.

[0031] For purposes of this disclosure, bold face variables denotepolynomials. Although these polynomials are functions of x, the xargument is omitted for the sake of presentation. Thus, a polynomialdenoted by a(x) in the traditional notation will be denoted by a.

[0032] Let a be a polynomial over GF(2) of degree m−1 where,

a=a ₀ +a ₁ x+. . . +a _(m−1) x ^(m−1),  (1)

[0033] and where a_(i)'s are binary-valued coefficients. Thesecoefficients are stored as the m-bit sequence (a₀, a₁, . . . , a_(m−1)).These bits are partitioned into several words. Let a word length be wbits and n=┌m/w┐. The m-bit sequence (a₀, a₁, . . . , a_(m−1)) can beextended to the nw-bit sequence (a₀, a₁, . . . , a_(m−1), a_(m)=0,a_(m+1)=0, . . . , a_(nw−1)=0) by zero padding. The bits are thenpartitioned into n words such that the ith word contains the bitsequence a_(iw+j) for j=0, . . . , w−1. Let the polynomial a[i] bedefined from the coefficients in the ith word as follows:

a[i]=Σ_(j=0) ^(w−1)a_(iw+j)x^(j).  (2)

[0034] The term a can be expressed in terms of a[i]'s and z=x^(w) asfollows: $\begin{matrix}{a = {{a_{0} + {a_{1}x} + \cdots + {a_{{nw} - 1}x^{{nw} - 1}}}\quad = {{\sum\limits_{i = 0}^{n - 1}\quad {\sum\limits_{j = 0}^{w - 1}{a_{i_{w + j}}x^{{iw} + j}}}}\quad = {{\sum\limits_{i = 0}^{n - 1}\quad {\left( {\sum\limits_{j = 0}^{w - 1}{a_{i_{w + j}}x^{j}}} \right)x^{iw}}}\quad = {{\sum\limits_{i = 0}^{n - 1}{{a\lbrack i\rbrack}z^{i}}}\quad = {{a\lbrack 0\rbrack} + {{a\lbrack 1\rbrack}z} + \cdots + {{a\left\lbrack {n - 1} \right\rbrack}{z^{n - 1}.}}}}}}}} & (3)\end{matrix}$

[0035] As mentioned before, the coefficients of the polynomial a arestored in n words. Thus, a polynomial a over GF(2^(m)) can be viewed asan n-word array. According to this analogy between the polynomials andthe arrays, the polynomial a[i] for i=0, . . . , n−1 is the ith word ofa and the binary-valued coefficients are bits.

[0036] The polynomial a[k #l] can be defined from the words a[i+k] fori=0, . . . ,l−1 as follows: $\begin{matrix}{{a\left\lbrack {k\quad \# l} \right\rbrack} = {{\sum\limits_{i = 0}^{l - 1}{{a\left\lbrack {i + k} \right\rbrack}z^{i}}}\quad = {{a\lbrack k\rbrack} + {{a\left\lbrack {k + 1} \right\rbrack}z} + \cdots + {{a\left\lbrack {k + l - 1} \right\rbrack}{z^{l - 1}.}}}}} & (4)\end{matrix}$

[0037] The polynomial a[k #l] can be viewed as a subarray of a. In thissubarray notation, k and l are the index and length parameters. Thevalue of k points to the first word of the subarray and shows theposition of this word in a, while l gives the length of the subarray inwords.

[0038] For purposes of this disclosure, the following arithmeticoperations on the polynomials over GF(2^(m)) are used: (1) polynomialaddition; (2)multiplication of a polynomial by powers of z; and (3)polynomial multiplication.

[0039] Polynomial Addition Over GF(2^(m))

[0040] The addition of the polynomials over GF(2^(m)) can be performedby XORing the corresponding words of the arrays in which the polynomialsare stored. For example, let a and b be two n-word polynomials. Then-word polynomial t=a+b can be computed as follows:

for i=0 to n−1

t[i]:=a[i] XOR b[i]  (5)

[0041] Polynomial addition is generally simple to implement in softwarebecause every general-purpose processor has an instruction to XORword-size operands such as a[i] and b[i].

[0042] Multiplication by Powers of z

[0043] Because z=x^(w), multiplying a polynomial by z^(i) is equivalentto shifting the words in its array representation up by i positions.Thus, the jth word becomes the (i+j)th word. Because of shifting, the0th to (i−1)th words are emptied. These words are filled with zeros. Forexample, let a be an n-word polynomial. The (n+i)-word polynomial t=az^(i) can be found as follows:

for j=0 to i,

t[j]:=0;

for j=0to n−1,

t[i+j]:=a[j].  (6)

[0044] Note that the multiplication by z^(i) involves array indexing anddoes not use any computation.

[0045] Polynomial Multiplication Over GF(2^(m))

[0046] Let a and b be two n-word polynomials. The 2n-word product t=a*bcan be computed as follows:

for i=0 to n−1,

for j=0 to n−1,

(C,S):=MULGF2(a[i],b[j])

t[i+j]:=t[i+j]XOR S

t[i+j+1]:=t[i+j+1] XOR C,  (7)

[0047] where MULGF2 multiplies two one-word polynomials, writes thelower word of the result into S, and writes the higher word into C.However, no general-purpose processor contains an instruction to performthe MULGF2 operation. Instead, MULGF2(a[i],b[j]) can be emulated asfollows:

C:=0;S:=0

for k=0 to w−1,

S:=SHL(S)

C:=RCL(C)

if BIT(b[j],k)=1

[0048] then

S:=S XOR a[i],  (8)

[0049] where SHL shifts its operand by one bit, and RCL is a rotate(circular shift) instruction that shifts its operand circularly to theleft by one bit. As seen above, MULGF2 consists of a sequence of shiftsand XOR operations because the polynomial multiplication involves asequence of shifts and additions. In the operation outlined above, forinstance, the addition is the bitwise XOR operation.

[0050] The Karatsuba-Ofman Algorithm

[0051] The Karatsuba-Ofman algorithm (KOA) is a divide-and-conquertechnique used to perform large multiplications. For instance, largemultiplication may involve the multiplication of multiplicands comprisedof a large number of words. In general, the KOA computes a largemultiplication using the results of the smaller multiplications. The KOAcomputes these smaller multiplications using the results of stillsmaller multiplications. This process continues recursively until themultiplication becomes relatively small (e.g., until the multiplicandsare reduced to one word) such that they may be computed directly withoutany recursion.

[0052] As more fully described below, the KOA algorithm may be modifiedsuch that the recursions are stopped early and a bottom-levelmultiplication is performed using some nonrecursive algorithms. Thesenonrecursive algorithms may be derived from the KOA by removing itsrecursions. Moreover, the algorithms may be optimized by exploiting thearithmetic of the polynomials over GF(2^(m)). Consequently, thecomplexity and recursion overhead can be reduced. For purposes of thisdisclosure this modified embodiment of the KOA is termed the LKOA, or“lean” implementation of the KOA.

[0053] Polynomial Multiplication Over GF(2^(m)) Using the KOA

[0054] Let a be an n-word polynomial. Note that${n = {\left\lceil \frac{n}{2} \right\rceil + \left\lfloor \frac{n}{2} \right\rfloor}},$

[0055] since n is an integer. The operand a may be split into a┌n/2┐-word polynomial a_(L) and a$\left\lfloor \frac{n}{2} \right\rfloor,$

[0056] word polynomial a_(H) as follows: $\begin{matrix}{{a_{L} = {{a\left\lbrack {0\quad \# \left\lceil \frac{n}{2} \right\rceil} \right\rbrack} = {\overset{{\lceil\frac{n}{2}\rceil} - 1}{\sum\limits_{i = 0}}{{a\lbrack i\rbrack}z^{i}}}}}{a_{H} = {{a\left\lbrack {\left\lceil \frac{n}{2} \right\rceil \quad \# \left\lfloor \frac{n}{2} \right\rfloor} \right\rbrack} = {\overset{{\lfloor\frac{n}{2}\rfloor} - 1}{\sum\limits_{i = 0}}{{a\left\lbrack {i + \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}{z^{i}.}}}}}} & (9)\end{matrix}$

[0057] Consequently, a_(L) and a_(H) are two half-sized polynomialsdefined from the first $\left\lceil \frac{n}{2} \right\rceil$

[0058] and the last $\left\lfloor \frac{n}{2} \right\rfloor$

[0059] words of a respectively. Thus, a_(L) contains the coefficients ofthe lower-order terms of a, while a_(H) contains the coefficients of thehigher-order terms. The operand a can be represented in terms of thesehalf-sized polynomials in the following manner: $\begin{matrix}\begin{matrix}{a = {{\overset{{\lceil\frac{n}{2}\rceil} - 1}{\sum\limits_{i = 0}}{{a\lbrack i\rbrack}z^{i}}} + {z^{\lceil\frac{n}{2}\rceil}{\overset{{\lfloor\frac{n}{2}\rfloor} - 1}{\sum\limits_{i = 0}}{{a\left\lbrack {i + \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}z^{i}}}}}} \\{= {{a\left\lbrack {0\quad \# \left\lceil \frac{n}{2} \right\rceil} \right\rbrack} + {z^{\lceil\frac{n}{2}\rceil}{a\left\lbrack {\left\lceil \frac{n}{2} \right\rceil \quad \# \left\lfloor \frac{n}{2} \right\rfloor} \right\rbrack}}}} \\{= {a_{L} + {a_{H}{z^{\lceil\frac{n}{2}\rceil}.}}}}\end{matrix} & (10)\end{matrix}$

[0060] Let b be another n-word polynomial. Like a, the operand b can berepresented in terms of two half-sized polynomials:

b=b _(L) +b _(H) z┌n/2┐,  (11)

[0061] where$b_{L} = {{{b\left\lbrack {0\quad \# \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}\quad {and}\quad b_{H}} = {{b\left\lbrack {\left\lceil \frac{n}{2} \right\rceil \quad \# \left\lfloor \frac{n}{2} \right\rfloor} \right\rbrack}.}}$

[0062] Then, the product t=ab can be expressed in terms of the fourhalf-sized products a_(L)b_(L), a_(L)b_(H), a_(H)b_(L), and a_(H)b_(H)as follows: $\begin{matrix}\begin{matrix}{t = {ab}} \\{= {\left( {a_{L} + {a_{H}z^{\lceil\frac{n}{2}\rceil}}} \right)\left( {b_{L} + {b_{H}z^{\lceil\frac{n}{2}\rceil}}} \right)}} \\{= {{a_{L}b_{L}} + {\left( {{a_{L}b_{H}} + {a_{H}b_{L}}} \right)z^{{\lceil\frac{n}{2}\rceil}\quad}} + {a_{H}b_{H}{z^{2{\lceil\frac{n}{2}\rceil}}.}}}}\end{matrix} & (12)\end{matrix}$

[0063] Because the addition of two polynomials over GF(2^(m)) isperformed by XORing the corresponding coefficients, the equalitya_(L)b_(H)+a_(H)b_(L)=(a_(L)+a_(H))(b_(L)+b_(H))+a_(L)b_(L)+a_(H)b_(H)is true. By using this equality, the previous equation can be rewrittenas: $\begin{matrix}{t = {{a_{L}b_{L}} + {\left\lbrack {{\left( {a_{L} + a_{H}} \right)\left( {b_{L} + b_{H}} \right)} + {a_{L}b_{L}} + {a_{H}b_{H}}} \right\rbrack \quad z^{\lceil\frac{n}{2}\rceil}} + {a_{H}b_{H}{z^{2{\lceil\frac{n}{2}\rceil}}.}}}} & (13)\end{matrix}$

[0064] The above equation shows that three multiplications of half-sizedpolynomials are sufficient to compute t=ab instead of four. First, theproducts of a_(L)b_(L), (a_(L)+a_(H))(b_(L)+b_(H)), and a_(H)b_(H)arefound. Then, the results are multiplied by the appropriate powers of zand added to one another to obtain t=ab. The multiplication by thepowers of z can be implemented as array shifts.

[0065] The general concept of the KOA is to express a multiplication interms of three half-sized multiplications, as in Equation (13).Consequently, one multiplication operation can be saved at the expenseof performing more additions. Because the complexity of multiplicationis quadratic, while the complexity of addition is linear, thissubstitution is advantageous for large values of n.

[0066] As shown in Equation (13), the KOA computes a product from threehalf-sized products. In this same fashion, the KOA computes each of thehalf-sized products from three quarter-sized products. This processcontinues recursively until the products get very small (e.g., until themultiplicands are reduced to one word) and can be computed quickly usingclassical methods.

[0067] The following exemplary recursive function implements the KOA forthe polynomials over GF(2^(m)). The function is provided in thefollowing pseudocode: function: KOA(a, b : n-word polynomial; n :integer) t : 2n-word number $\begin{matrix}{a_{L},{a_{M}:{\left\lceil \frac{n}{2} \right\rceil - {{word}\quad {polynomial}}}}} \\{{low},{{mid}:{{2\left\lceil \frac{n}{2} \right\rceil} - {{word}\quad {polynomial}}}}} \\{a_{H}:{\left\lfloor \frac{n}{2} \right\rfloor - {{word}\quad {polynomial}}}} \\{{high}:{{2\left\lfloor \frac{n}{2} \right\rfloor} - {{word}\quad {polynomial}}}}\end{matrix}\quad$

begin Step 1: if n = 1 then return t := MULGF2(a, b) /* Generate 3 pairsof half sized numbers */ Step 2:$a_{L}:={a\left\lbrack {0\quad \# \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}$

Step 3:$b_{L}:={b\left\lbrack {0\quad \# \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}$

Step 4:$a_{H}:={a\left\lbrack {\left\lceil \frac{n}{2} \right\rceil \quad \# \quad \left\lfloor \frac{n}{2} \right\rfloor} \right\rbrack}$

Step 5:$b_{H}:={b\left\lbrack {\left\lceil \frac{n}{2} \right\rceil \quad \# \quad \left\lfloor \frac{n}{2} \right\rfloor} \right\rbrack}$

Step 6: a_(M) := a_(L) + a_(H) Step 7: b_(M) := b_(H) + b_(L) /*Recursively multiply the half sized numbers */ Step 8:${low}:=\quad {{KOA}\quad \left( {a_{L},b_{L},\left\lceil \frac{n}{2} \right\rceil} \right)}$

Step 9:${high}:=\quad {{KOA}\quad \left( {a_{H},b_{H},\left\lfloor \frac{n}{2} \right\rfloor} \right)}$

Step 10:${mid}:=\quad {{KOA}\quad \left( {a_{M},b_{M},\left\lceil \frac{n}{2} \right\rceil} \right)}$

/* Combine the subproducts to obtain the output */ Step 11:$t:=\quad {{low} + {\left\lbrack {{mid} + {low} + {high}} \right\rbrack \quad z^{\lceil\frac{n}{2}\rceil}} + {{high}\quad z^{2{\lceil\frac{n}{2}\rceil}}}}$

return t end

[0068] In Step 1, n is evaluated. If n is one (i.e., if the inputs areone-word inputs), the inputs are multiplied using classical methods andthe result returned. Otherwise, the function continues to the remainingsteps. In Steps 2 through 5, two pairs of half-sized polynomials (a_(L),b_(L)) and (a_(H), b_(H)) are generated from the lower- and higher-orderwords of the inputs. In Steps 6 and 7, another pair, (a_(M), b_(M)), isobtained by adding a_(L) with b_(L)and a_(H)with b_(H). In Steps 8, 9,and 10, these three pairs are multiplied. These multiplications areperformed by three recursive calls to the KOA function and yield thesubproducts low, mid, and high.

[0069] Finally, t=ab is computed from the subproducts in Step 11, asshown in the Equation (13). These subproducts are low=a_(L)b_(L),high=a_(H)b_(H), and mid=a_(M)b_(M)=(a_(L)+a_(H)) (b_(L)+b_(H)).

[0070] The Lean Karatsuba-Ofman Algorithm (LKOA)

[0071] The recursion overhead degrades the performance of the KOA. Thus,it is desirable to stop the KOA recursions early and perform thebottom-level multiplications using some nonrecursive method. For this,Step 1 of the KOA function (as outlined above) can be modified. Forexample, the recursion can be stopped when n≦n₀ where n₀ is somepredetermined integer. A nonrecursive function can then be called toperform the remaining multiplication.

[0072] A variety of different nonrecursive algorithms can be used tomultiply the polynomials of size n≦n₀. For example, in one exemplaryembodiment, the polynomials are multiplied on a word-by-word basis, asshown above in the section discussing polynomial multiplication overGF(2^(m)). In another exemplary embodiment, a series of nonrecursivealgorithms derived from the KOA can be used. These algorithms are eachspecific to a fixed input size and multiply 2, 3, . . . n-wordpolynomials respectively. The algorithms may be used in a variety ofdifferent combinations and subcombinations with one another. Forinstance, one particular embodiment uses the 2, 3, 4, 5, and 6-wordnonrecursive multiplication algorithms described below in combinationwith the KOA. The details of the particular algorithms described may bemodified in a number of ways (e.g., the sequence in which the varioussubproducts are computed may be altered) without departing from thescope of the present disclosure.

[0073] The following discussion describes one particular implementationin which the KOA function multiplies the polynomials of the size n≦n₀=6without any recursion. In this implementation, Step 1 of the KOA ismodified as follows: Step 1: if n ≦ 6 then if n = 1 then return t :=MULGF2(a, b) endif if n = 2 then return t := KOA2(a, b) endif if n = 3then return t := KOA3(a, b) endif if n = 4 then return t := KOA4(a, b)endif if n = 5 then return t := KOA5(a, b) endif if n = 6 then return t:= KOA6(a, b) endif endif

[0074] In this exemplary implementation, KOA2, KOA3, KOA4, KOA5 and KOA6are the algorithms derived from the KOA. To obtain these algorithms, therecursions of the KOA, as well as the inherent redundancies in the KOA,are removed by exploiting the arithmetic of the polynomials overGF(2^(m)). As noted above, this type of implementation is termed a leanimplementation of the KOA, or LKOA.

[0075] The various algorithms—KOA2, KOA3, KOA4, KOA5, and KOA6—areexplained below with the benefit of the proceeding recursion treeanalysis. Although only five such algorithms are expressly described inthis disclosure, the techniques used to derive these algorithms could beused to obtain other algorithms for polynomials of the size n>6.Moreover, the various nonrecursive functions can be used in variousother combinations not expressly described herein. For example, the LKOAalgorithm described above can be modified such that only products of4-word polynomials or less are determined using a nonrecursive function.

[0076]FIG. 1 is a flowchart 100 showing a general method of implementingthe LKOA. At process block 110, two n-word operands a and b are obtainedor received. As described above, the operands a and b comprise multiplewords of one or more bits and represent a polynomial in GF(2^(m)). Atprocess block 112, a recursive algorithm is used to decompose themultiplication of a and b into a weighted sum of smaller subproducts.The recursive algorithm utilized may be the KOA or a similardivide-and-conquer algorithm. As shown by process block 114, thedecomposition continues until the size of the operands of thesubproducts reaches a predetermined size. For example, in the exemplaryimplementation described above, the recursive algorithm is used todecompose the products until the operands are six words or less. Whenthe operand size is less than the predetermined size, process block 116shows that a nonrecursive algorithm is used to determine the smallersubproducts. The nonrecursive algorithm used may, for instance, be oneof the nonrecursive algorithms described below, or another nonrecursivealgorithm that efficiently determines the relevant subproduct. Atprocess block 118, the values of these subproducts are used in theweighted sum of process block 112 to complete the calculation. Atprocess block 120, the final value of the weighted sum is returned.

[0077] The following sections describe one particular implementation ofthe LKOA in greater detail.

[0078] Fast GF(2^(m)) Multiplication Using the LKOA

[0079] As mentioned before, two operands in GF(2^(m)) can be multipliedtogether in two phases. In the first phase, the (n=┌m/w┐)-wordpolynomials representing the elements are multiplied and the 2n-wordproduct polynomial obtained. In the second phase, the product polynomialis reduced with an irreducible polynomial of degree m. In this way, an(n=┌m/w┐)-word polynomial representing the multiplication result inGF(2^(m)) is obtained.

[0080] The polynomial multiplication in the first phase may be performedon a word-by-word basis using the straightforward MULGF2 multiplicationalgorithm described above. According to this method, however, the firstphase is quadratic in time (i.e., O(m²)). Alternatively, the LKOA may beused to perform the first phase of polynomial multiplication. Becausethe LKOA runs in less than quadratic time, even for small values of m,the overall time for multiplication is decreased. The LKOA runs fasterthan the straightforward multiplication algorithm because it tradesmultiplications in favor of additions. In particular, the LKOA reducesthe number of 1-word multiplications (MULGF2) at the expense of more1-word additions (XOR). Because the MULGF2 operation is costly toimplement, the tradeoff results in a more efficient multiplicationalgorithm. Indeed, the emulation of MULGF2 takes hundreds of clockcycles for a typical value having a word size w=32. By contrast, the XORoperation is a simple operation that is performed in a single clockcycle in many processors. Table 6, discussed below, shows the number ofXOR and MULGF2 operations needed for the KOA, the LKOA, and thestraightforward polynomial multiplication. As seen in Table 6, the KOAand the LKOA use fewer MULGF2 operations than the straightforwardpolynomial multiplication for all n=┌m/w┐.

[0081] For many applications, the LKOA can be used to multiplypolynomials with no or little recursion. For example, the LKOA can beused in the finite fields GF(2^(m)) for 163≦m≦512, which are used inelliptic curve cryptography. If a word size w=32 is used, for instance,then the polynomials representing the field elements are in the range of6 to 16 words. When the LKOA multiplies 6-word polynomials, there is norecursion. Thus, in Step 1, the nonrecursive function KOA6 is called forthe computation. When the LKOA multiplies 16-word polynomials, only twolevels of recursive calls are used. In the first recursion level, theinput size is reduced to 8-word polynomials. In the second recursionlevel, the input size is reduced to 4-word polynomials, and the inputsare multiplied by the nonrecursive function KOA4.

[0082] In the second phase of the GF(21) multiplication, the result ofthe polynomial multiplication is reduced with a trinomial or pentanomialof degree m. This computation has a linear time of O(m). Theimplementation of the reduction with a trinomial or pentanomial, forexample, is relatively simple and straightforward. See, e.g., R.Schroeppel et al., Fast Key Exchange with Elliptic Curve Systems,Advances in Cryptology—CRYPTO 95, pp. 43-56 (1995).

[0083] Recursion Tree Analysis and Terminology

[0084] A recursion tree is a diagram that depicts the recursions in analgorithm. Recursion trees can be particularly helpful in the analysisof recursive algorithms like the KOA that may call themselves more thanonce in a recursion step.

[0085] In its simplest form, the recursion tree of an algorithm can bethought of as a hierarchical tree structure wherein each branchrepresents a recursive call of the algorithm. FIG. 2 shows an exemplaryrecursion tree 200 that depicts the multiplication of two exemplarypolynomials using an algorithm similar to the KOA. For purposes of theexample shown in FIG. 2, assume that the recursion stops when thesubproducts reach a size of one word, at which point they can becalculated using classical methods. In the example shown in FIG. 2, thepolynomials 1+x+x³+x⁴ and 1+x³+x⁵ are multiplied together. In FIG. 2,these polynomials are written as a string of two-bit words (i.e., asthree words) showing the binary value of each polynomial's coefficients.Thus, the first polynomial 1+x+x³+x⁴ is denoted as “110110” and thesecond polynomial 1+x³+x⁵ is denoted as “100101.” The initial call tothe algorithm is represented by the root 210 of the tree 200. Therecursive calls made by the initial call constitute the first level ofrecursion 220 and are represented by the first-level branches 222, 224,226 emerging from the root 210. The recursive calls made by theserecursive calls constitute the second level of recursion 230 and arerepresented in the recursion tree 200 by the second-level branches 231through 236 emerging from the first-level branches 222, 224. Note thatbranch 226 does not have any second-level branches stemming from itbecause branch 226 represents the product of one-word operands and canbe calculated using classical methods (e.g., a MULGF2 operationsupporting 2-bit words).

[0086] A branch emerging from another branch may be called a “child.”Similarly, the branch from which the child stems may be called the“parent.” In FIG. 2, for instance, branch 231 is the child of branch222. In the recursion tree, if a branch represents a particularrecursive call, its children represents the recursive calls made by thatcall. In other words, a “caller-callee” relationship in an algorithmcorresponds to a “parent-child” relationship in the recursion tree. If arecursive call made at some recursion level doesn't make any recursivecall at the next level, the branch representing it in the tree has nofurther children, and may be called a “leaf.”

[0087] In the recursion tree depicted in FIG. 2, two recursive calls aremade by the branches 222 and 224. Thus, three branches, representing arecursive KOA function, emerge from each of these branches. The leaves231 through 236 and 226 represent the multiplication of one-word inputs,which do not make any recursive calls because they can be calculatedusing classical methods. Generally speaking, the size of the inputparameters are reduced by half in each successive recursion level in therecursion tree. Thus, it is known that at some level, the branches willhave one-word inputs and cease to make any further recursive calls.

[0088] Recursive tree terminology may be used to describe the KOA or asimilar divide-and-conquer algorithm. For example, if one recursive callinvokes another, the first recursive call may be referred to as theparent, and the latter recursive call as the child. Thus, a branch maybe used as a synonym for a recursive call, and a leaf as a synonym for arecursive call with one-word inputs. Additionally, a path is defined asa sequence of branches from the root in which each branch is a child ofthe previous one.

[0089] For instance, consider branch 222 in FIG. 2. This branch is acall to the KOA function described above. It has two inputs, “1101” and“1001”. From these inputs, the branch 222 generates the half-sized pairs(a_(L), b_(L)), (a_(M), b_(M)) and (a_(H), b_(H)) (or (11,10), (10,11),and (01,01), respectively). Its children take these pairs as inputs,multiply them, and return the subproducts low, mid, and high. Then, atStep 11, the subproducts are combined in a weighted sum to obtain thevalue of the product of “1101” and “1001.”

[0090] In the KOA, there are three choices for a branch. A branch eithertakes the input pair (a_(L), b_(L)) from its parent and returns thesubproduct low, takes the input pair (a_(H), b_(H)) and returns thesubproduct high, or takes the input pair (a_(M), b_(M)) and returns thesubproduct mid. For purposes of this disclosure, these first, second,and third types of branches are called low, high, and mid branchesrespectively. This classification of the branches is given in Table 1below. TABLE 1 The classification of the branches in the tree LOW BRANCHtakes the input pair (a_(L), b_(L)) from its parent returns thesubproduct low to its parent HIGH BRANCH takes the input pair (a_(H),b_(H)) from its parent returns the subproduct high to its parent MIDBRANCH takes the input pair (a_(M), b_(M)) from its parent returns thesubproduct mid to its parent

[0091] Decomposition of Products Computed by Branches

[0092] Let a branch have the n-word inputs a and b, and the output t.The output is the 2n-word product of the inputs (i.e., t=ab). The branchcomputes t from the subproducts low, mid, and high as shown in Step 11of the KOA function described above. Rearranging the terms of theequation in this step, the following equation can be obtained:$\begin{matrix}{t = {{{low}\quad \left( {1 + z^{\lceil\frac{n}{2}\rceil}} \right)} + {{mid}\quad z^{\lceil\frac{n}{2}\rceil}} + {{high}\quad \left( {z^{\lceil\frac{n}{2}\rceil} + z^{2{\lceil\frac{n}{2}\rceil}}} \right)}}} & (14)\end{matrix}$

[0093] It can be seen from Equation (14) how the product t is decomposedinto the subproducts weighted by the polynomials in z. The sizes ofthese subproducts can be determined from the variable declarations inthe KOA function. Table 2 below gives the sizes and the weights of eachsubproduct in terms of n. Note that the subproducts are computed by thechildren and the decomposed product t is computed by the parent. Asnoted above, n is the input size of this parent branch and thedecomposed product t is comprised of 2n words.

[0094] Let the product computed by the root be denoted as RootProduct,and the products computed by the leaves be denoted as leaf-products. Theproduct RootProduct can be expressed in terms of the leaf-products. Todo so, the products computed by the branches on the paths between theroot and the leaves can be recursively decomposed TABLE 2 The inputsizes and weights of subproducts computed by children branches computedsubproduct size weight Low Child low$2\left\lceil \frac{n}{2} \right\rceil$

$1 + z^{\lceil\frac{n}{2}\rceil}$

Mid Child mid $2\left\lceil \frac{n}{2} \right\rceil$

$z^{\lceil\frac{n}{2}\rceil}$

High Child high $2\left\lfloor \frac{n}{2} \right\rfloor$

$z^{\lceil\frac{n}{2}\rceil} + z^{2{\lceil\frac{n}{2}\rceil}}$

[0095] using Equation (14). The decomposition proceeds from RootProductand continues until the leaf-products are obtained. As shown in thefollowing equation, the result is the weighted sum taken over all theleaf-products: $\begin{matrix}{{RootProduct} = {\sum\limits_{\forall\quad i}{{LeafProduct}_{i}{Weight}_{i}}}} & (15)\end{matrix}$

[0096] where LeafProduct_(i) is a particular leaf-product, andWeight_(i) is a polynomial in z.

[0097] Determining Weights of Leaf-products

[0098] The factors of Weight_(i) in Equation (15) are generated by therecursive decompositions performed along the path between the root andthe leaf computing LeafProduct_(i). These factors are the weights of thesubproducts introduced during the decompositions and can be determinedby the help of Table 2.

[0099] For example, consider the multiplication of 9-word polynomialsusing the KOA. Thus, the inputs of the root are 9-word polynomials. FIG.3 shows a recursion tree 300 illustrating the multiplication of 9-wordpolynomials a and b. At each level, the polynomials are reduced tosmaller subproducts (i.e., a′,a″,a′″) until the individual subproductshave one-word operands, shown in FIG. 3 at the third recursion level.

[0100] Now consider t, t′, t″, and t′″, respectively, which denote theproducts computed by the root, its child, its grandchild, and itsgrandgrandchild along a given path. For purposes of this example, letthe child, grandchild, and grandgrandchild be mid, high, and lowbranches, respectively. FIG. 4 illustrates this path on the recursiontree 300. In particular, path 400 originates at the root 410 (i.e., t),and proceeds to its mid child 412 (t′), then to its high grandchild 414(t″), and finally to its low grandgrandchild 416 (t′″). The recursivedecomposition of the products t, t′, and t″ is illustrated in Table 3.TABLE 3 Example of determining the factors of the weights DecomposedEmerging product n Subproduct Decomposition t 9${2\left\lceil \frac{n}{2} \right\rceil} - {{word}\quad t^{\prime}}$

$\begin{matrix}t & {= \left\lbrack {{t^{\prime}\quad z^{\frac{n + 1}{2}}} + \ldots} \right\rbrack} \\\quad & {= {{t^{\prime}\quad z^{5}} + \ldots}}\end{matrix}\quad$

10-word t′ 5${2\left\lfloor \frac{n}{2} \right\rfloor} - {{word}\quad t^{''}}$

${\begin{matrix}\quad & {= {{\left\lbrack {{t^{''}\quad \left( {z^{\frac{n + 1}{2}} + z^{n + 1}} \right)} + \ldots} \right\rbrack \quad z^{5}} + \ldots}} \\\quad & {= {{t^{''}\quad \left( {z^{3} + z^{6}} \right)\quad z^{5}} + \ldots}}\end{matrix}\quad}\quad$

4-word t″ 2${2\left\lceil \frac{n}{2} \right\rceil} - {{word}\quad t^{\prime\prime\prime}}$

${{\begin{matrix}\quad & {= {{\left\lbrack {{t^{\prime\prime\prime}\quad \left( {1 + z^{\frac{n + 1}{2}}} \right)} + \ldots} \right\rbrack \quad \left( {z^{3} + z^{6}} \right)z^{5}} + \ldots}} \\\quad & {= {{t^{\prime\prime\prime}\quad \left( {1 + z} \right)\left( {z^{3} + z^{6}} \right)z^{5}} + \ldots}}\end{matrix}\quad}\quad}\quad$

2-word t′′′ 1

[0101] In Table 3, the decomposed products are given in the firstcolumn. The subproducts emerging after the decompositions of theseproducts are given in the third column. The weights and sizes of thesesubproducts are obtained from Table 2 for the values of n in the secondcolumn.

[0102] As noted above, n is the input size of the branch computing thedecomposed product, and the decomposed product is comprised of 2n words.First, the product t, which is the product computed by the root, isdecomposed for n=9. After this decomposition, t′ and two othersubproducts emerge. In Table 3, only t′ is shown. The other subproductsare omitted for the sake of presentation. Remember that t′ is computedby a mid branch (the mid child of the root). Its size and weight can bedetermined from Table 2 for n=9. It is found that t′ is comprised of${2\left\lceil \frac{n}{2} \right\rceil} = 10$

[0103] words, and its weight is z^((n+1)/2)=z⁵. Next, t′ is decomposedfor n=5. Note that n=5 so that t′ has (2n=10) words. In this manner, t″can also be decomposed. The product t′″, however, cannot be decomposedbecause it has (n=1)-word inputs and is computed at a leaf. Indeed, theleaf-product t′″ is computed by direct multiplication having (n=1)-wordinputs. The product t in this example corresponds to RootProduct inEquation (14), whereas t′″ corresponds to LeafProduct_(i) for some i.Similarly, Weight_(i) corresponds to the accumulated weight of t′″(i.e., Weight_(i)=(1+z)(z³+z⁶)z⁵).

[0104] Determining Leaf-Products

[0105] Equation (15) can be useful only if the values of LeafProduct_(i)are also known. The leaves compute LeafProduct_(i)'s by multiplyingtheir 1-word inputs. Thus, let LeafA and LeafB denote the inputs of theleaf computing LeafProduct_(i) for some i. Then,

LeafProduct_(i)=LeafA LeafB  (16)

[0106] To find LeafProduct_(i), the inputs LeafA and LeafB must befound. The inputs of the leaves and the branches are defined from theinputs of their parent in Steps 2 through 7 of the KOA function. Notethat all these inputs are actually derived from the inputs of the root,which is the ancestor of the all the branches and the leaves.

[0107] Let RootA and RootB denote the inputs of the root. Also, let aand b denote the inputs of an arbitrary branch. Then, a and b are in thefollowing form:

a=Σ_(i=1) ^(r)RootA[k_(i)#l_(i])

b=Σ_(i=1) ^(r)RootB[k_(i)#l_(i])  (17)

[0108] for some r≦1. Thus, a and b are the appropriate subarrays of theroot's inputs or the sum of such subarrays. This is because Steps 2through 7 of the KOA function, where the inputs of the children aregenerated from the inputs of the parent, involves only two basicoperations: (1) partitioning into subarrays; (2) and adding subarrays.Note that in Equation (17), the subarrays which define a and thesubarrays which define b have the same the indices and lengths. Thisresults from the fact that the first and second inputs of a branch aregenerated in the same way, except that the first input is generated fromthe words of RootA, while the second input is generated from the wordsof RootB.

[0109] Note also that LeafA and LeafB have the following form:

LeafA=Σ_(i=1) ^(r)RootA[k_(i])

LeafB=Σ_(i=1) ^(r)RootB[k_(i])  (18)

[0110] for some r≧1. This results from the fact that LeafA and LeafB areone-word inputs of a leaf. Thus, the subarrays defining them cannot belonger than one word.

[0111] Once the inputs of the leaves are expressed in terms of theroot's inputs, as in Equation (18), the leaf-products can be determinedas the products of these inputs. As described above, the inputs of abranch are generated from the inputs of its parent. Thus, in order toexpress the inputs of the leaves in terms of the root's inputs, theinputs of the root's children must first be determined from the inputsof the root. Then, the process can be recursively continued until theinputs of the leaves are obtained.

[0112] The relationship between the inputs of the children and theparent is given by the equations in Steps 2 through 7 of the KOAfunction. The following proposition (Proposition 1) states thisrelationship in terms of subarray indices and lengths. Remember that theinputs of any branch can be defined by as subarrays of the root'sinputs. Thus, the inputs of every branch can be described by some indiceand lengths identifying these subarrays.

[0113] Table 4, which is referred to in Proposition 1 and providedbelow, gives the indices and lengths describing the children's inputs interms of those describing the parent's input. Table 4 can be usedrecursively to obtain the indices and lengths describing the inputs ofthe branches from the higher hierarchy to the lower. Eventually, theindices and lengths describing the inputs of the leaves can be found.Then, the inputs of the leaves can be obtained by adding the subarraysidentified by these indices and lengths.

[0114] Proposition 1: Let the indices and lengths describing the inputsof the parent be k_(i) and i _(l) for i=1 . . . , r. Then, the indicesand lengths describing the children's inputs are as given in Table 4.Note that because some lengths in the table are obtained bysubtractions, they can be nonpositive. The subarrays with nonpositivelengths are equal to zero.

[0115] In Table 4, k_(i) and l_(i) for i=1, . . . , r are the indicesand lengths, respectively, describing the inputs of the parent. Also, nis the input size of the parent, thus n=max(l₁l₂, . . . ,l_(r)) TABLE 4The indices and lengths describing inputs of the children inputs indiceslengths Low Child a_(L), b_(L) k_(i)$\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)$

High Child a_(H), b_(H) $k_{i} + \left\lceil \frac{n}{2} \right\rceil$

$l_{i} - \left\lceil \frac{n}{2} \right\rceil$

Mid Child a_(M), b_(M)$k_{i},{k_{i} + \left\lceil \frac{n}{2} \right\rceil}$

${\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)},{l_{i} - \left\lceil \frac{n}{2} \right\rceil}$

[0116] The proof of this proposition proceeds as follows. Consider thebranch having the inputs a and b given in Equation (17). Let its low,high, and mid children have the input pairs (a_(L), b_(L)), (a_(H),b_(H)), and (a_(M), b_(M)), respectively. Table 4 suggests that:$\begin{matrix}\begin{matrix}{a_{L} = {\sum\limits_{i = 1}^{r}\quad {{Root}\quad {A\left\lbrack {k_{i}\# \quad {\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)}} \right\rbrack}}}} \\{b_{L} = {\sum\limits_{i = 1}^{r}\quad {{Root}\quad {B\left\lbrack {k_{i}\# \quad {\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)}} \right\rbrack}}}} \\{a_{H} = {\sum\limits_{i = 1}^{r}\quad {{Root}\quad {A\left\lbrack {k_{i} + {\left\lceil \frac{n}{2} \right\rceil \# \quad l_{i}} - \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}}}} \\{b_{H} = {\sum\limits_{i = 1}^{r}\quad {{Root}\quad {B\left\lbrack {k_{i} + {\left\lceil \frac{n}{2} \right\rceil \# \quad l_{i}} - \left\lceil \frac{n}{2} \right\rceil} \right\rbrack}}}} \\{a_{M} = {a_{L} + a_{H}}} \\{{b_{M} = {b_{L} + b_{H}}},}\end{matrix} & (19)\end{matrix}$

[0117] where n is the size of the inputs a and b. The size of a and b isthe length of the longest subarray in Equation (17). Thus,

n=max(l₁,l₂, . . . ,l_(r))  (20)

[0118] Equation (19) can be more particularly explained as follows:

[0119] First, as understood from Steps 2 and 3 of KOA function, a_(L)and b_(L) are the lower halves of a and b (i.e., the first$\left\lceil \frac{n}{2} \right\rceil$

[0120] words of a and b). Thus, the subarrays defining a_(L) and b_(L)are the lower parts of those defining a and b. The lower part of asubarray is its first $\left\lceil \frac{n}{2} \right\rceil$

[0121] words or, if it is shorter than$\left\lceil \frac{n}{2} \right\rceil$

[0122] words, itself. As a result, (1) the subarrays defining a_(L) andb_(L) have the same indices as those defining a and b (that is, theirindices are equal to k_(i) for i=1, . . . , r, as seen in Equation(19)); and (2) the subarrays defining a_(L) and b_(L) cannot be longerthan $\left\lceil \frac{n}{2} \right\rceil$

[0123] words and those defining a and b (that is, their lengths areequal to$\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)$

[0124] for i=1, . . . , r, as seen in Equation (19)).

[0125] Second, as understood from Steps 4 and 5 of the KOA function,a_(H) and b_(H) are the higher halves of a and b (i.e., the remainingparts of a and b after their first$\left\lceil \frac{n}{2} \right\rceil$

[0126] words are taken away). Thus, the subarrays defining a_(H) andb_(H) are the higher parts of those defining a and b. The higher part ofa subarray is its words from the $\left\lceil \frac{n}{2} \right\rceil$

[0127] th word through the last word or, if it is shorter than$\left\lceil \frac{n}{2} \right\rceil$

[0128] words, void. As a result, (1) the subarrays defining a_(H) andb_(H) have indices $\left\lceil \frac{n}{2} \right\rceil$

[0129] words larger than those defining a and b (that is, their indicesare equal to $k_{i} + \left\lceil \frac{n}{2} \right\rceil$

[0130] for i=1, . . . , r, as seen in Equation (19)); and (2) thesubarrays defining a_(L) and b_(L) are$\left\lceil \frac{n}{2} \right\rceil$

[0131] words shorter than those defining a and b (that is, their lengthsare equal to $l_{i} - \left\lceil \frac{n}{2} \right.$

[0132] for i=1, . . . , r, as seen in Equation (19)). Note that theselengths can be nonpositive due to the subtraction. If a length isnonpositive, the corresponding subarray equals to zero. Third, as seenin Steps 6 and 7 of KOA function, a_(M) (b_(M)) is the sum of the a_(L)and a_(H) (b_(L) and b_(H)).

[0133] The following example illustrates how the inputs of a leaf arefound. First, reconsider the example illustrated in Table 3 and in FIG.4. In that example, a path was chosen and the products computed by thebranches on the path recursively decomposed. Let (a, b), (a′, b′), (a″,b″), and (a′″, b′″), respectively, denote the inputs of the root, itschild, its grandchild, and its grandgrandchild on this path. Thefollowing table illustrates how the indices and the lengths describingthese inputs are found. TABLE 5 Example of determining the indices andthe lengths describing the inputs of the branches the successor on thepath inputs n indices lengths indices lengths (a, b) 9 k₁ = 0 l₁ = 9$k_{i},{k_{i} + \left\lceil \frac{n}{2} \right\rceil}$

${\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)},{l_{i} - \left\lceil \frac{n}{2} \right\rceil}$

(a′, b′) 5 k₁, k₂ = 0, 5 l₁, l₂ = 5, 4$k_{i} + \left\lceil \frac{n}{2} \right\rceil$

$l_{i} - \left\lceil \frac{n}{2} \right\rceil$

(a″, b″) 2 k₁, k₂ = 3, 8 l₁, l₂ = 2, 1 k_(i)$\min \left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)$

(a′′′, b′′′) 1 k₁, k₂ = 3, 8 l₁, l₂ = 1, 1

[0134] The inputs are given in the first column, the sizes of the inputsare given in the second column, and the indices and lengths describingthe inputs are given in the third and fourth columns. For this example,a root with a 9-word input is considered. The root's inputs (a,b) arethe subarrays of themselves (i.e., a=a[0#9] and b=b[0#9]). Thus, theindex and length describing the root's inputs (a,b) are 0 and 9,respectively. The next successor on the path is the mid child of theroot with the inputs (a′, b′). Because this successor is a mid branch,its indices and lengths are$k_{i},{k_{i} + {\left\lceil \frac{n}{2} \right\rceil \quad {and}\quad {\min\left( {l_{i},\left\lceil \frac{n}{2} \right\rceil} \right)}}},{l_{i} - \left\lceil \frac{n}{2} \right\rceil},$

[0135] respectively, according to Table 4. After the substitutionsk_(i)=k₁=0, l_(i)=l₁=9, and n=9, the indices and lengths describing theinputs of the root's child (a′, b′) are found. These indices and lengthsare k₁, k₂=0,5 and l₁, l₂=5,4, as seen in Table 5. The size of theinputs (a′, b′) is the new n value, and n=max(l₁, l₂)=max(5, 4)=5. Inthis fashion, the indices and lengths describing the inputs (a″, b″) and(a′″, b′″) are found. The inputs (a′″, b′″) comprise (n=1) word. Thus,they are the inputs of the leaf at the end of the path. The indices andlengths describing them are k₁, k₂=3,8 and l₁, l₂=1, 1, as seen in Table5. This means thata^(′′′) = a[3] + a[8]  and  b^(′′′) = b[3] + b[8].

[0136] Remember that t′″ denotes the product computed by the leaf at theend of the path and is the product of the leaf's inputs. Thus,$\begin{matrix}{t^{\prime\prime\prime} = {{a^{\prime\prime\prime}*b^{\prime\prime\prime}} = {{\left( {{a\left\lbrack {k_{1}\quad \# l_{1}} \right\rbrack} + {a\left\lbrack {k_{2}\quad \# l_{2}} \right\rbrack}} \right)\left( {{b\left\lbrack {k_{1}\quad \# l_{1}} \right\rbrack} + {b\left\lbrack {k_{2}\quad \# l_{2}} \right\rbrack}} \right)}\quad = {\left( {{a\lbrack 3\rbrack} + {a\lbrack 8\rbrack}} \right)\left( {{b\lbrack 3\rbrack} + {b\lbrack 8\rbrack}} \right)}}}} & (21)\end{matrix}$

[0137] In this manner, the leaf-product t′″can be expressed in terms ofthe root's inputs.

[0138] Nonrecursive Functions Derived from KOA

[0139] In this section, exemplary nonrecursive functions KOA2, KOA3,KOA4, KOA5 and KOA6, which multiply 2, 3, 4, 5 and 6-word polynomialsrespectively, are derived and described. The input size of the functionsis derived by analyzing the recursion tree of the KOA.

[0140] Consider two multi-word polynomials that are being multiplied bythe KOA. In the recursion tree, these polynomials correspond to theinputs of the root. The root computes their multiplication, benefitingfrom the computations performed by the other branches (recursive calls).Note that this multiplication, computed by the root, can be expressed asa weighted sum of the leaf-products, as shown in Equation (15). Then,the multiplication of the input polynomials can be performed bycomputing the weighted sum in Equation (15) without any recursion.

[0141] The leaf-products and their weights are needed to compute theweighted sum in Equation (15). As described above, these parameters canbe determined from the root's inputs. As noted, the root's inputs arethe multi-word polynomials that are being multiplied. If the size andthe words of these inputs are known, the leaf-products and their weightscan be obtained through Table 2 and Table 4 in the manner illustratedabove in the section concerning recursion trees. A computer program,such as a Maple program, can also be used to perform this process.

[0142] For many input sizes, the weighted sum in Equation (15) is in aparticular form, described below, or can be transformed into thisparticular form through algebraic substitutions. The followingproposition and its corollary introduce this form and show how theweighted sums in this form can be computed efficiently.

[0143] Proposition 2: Let lp_(i) and w_(i) for i=0,1, . . . , n−1 denotea set of leaf-products and their weights respectively such that,$\begin{matrix}{{w_{i} = {\sum\limits_{j = 0}^{n - 1}\quad z^{i + j}}},{{{for}\quad i} = 0},1,\quad \ldots \quad,{n - 1.}} & (22)\end{matrix}$

[0144] Consequently, t=Σ_(i=0) ^(n−1) lp_(i)w_(i) is a 2n-wordpolynomial and can be computed from the leaf-products in the followingtwo steps:

[0145] 1. Compute the (n+1)-word polynomial h from the words of lpi's asfollows:

h[0]=lp₀[0],

h[i]=lp _(i)[0]+lp _(i−1)[1],

for i=1, . . . , n−1,

h[n]=lp_(n−1)[1].  (23)

[0146] 2. Compute the words of t from the words of h as follows:

t[i]=h[i],

i=0,

t[i]=t[i−1]+h[i],

0<i ≦n−1,

t[i]=h[i−n+1],

i=2n−1,

t[i]=t[i+1]+h[i−n+1],

n≦i<2n−1.  (24)

[0147] The proof of this proposition proceeds as follows. As mentionedbefore, leaf-products are two-word polynomials. Thus, Σ_(i=0) ^(n−1)lp_(i)z^(i) can be written as: $\begin{matrix}\begin{matrix}{{\sum\limits_{i = 0}^{n - 1}{l\quad p_{i}z^{i}}} = {\sum\limits_{i = 0}^{n - 1}{\left( {{l\quad {p_{i}\lbrack 0\rbrack}} + {l\quad {p_{i}\lbrack 1\rbrack}z}} \right)z^{i}}}} \\{= {{l\quad {p_{0}\lbrack 0\rbrack}} + {\sum\limits_{i = 0}^{n - 1}{\left( {{l\quad {p_{i}\lbrack 0\rbrack}} + {l\quad {p_{i - 1}\lbrack 1\rbrack}}} \right)z^{i}}} + {l\quad {p_{n - 1}\lbrack 1\rbrack}z^{n}}}}\end{matrix} & (25)\end{matrix}$

[0148] The coefficient of z^(i) above is equal to h[i] given in Equation(23) for i=0, . . . , n. Thus, the binary polynomial above is h. Inbrief, Σ_(i=0) ^(n−1) lp_(i) z^(i)=h=Σ_(i=0) ^(n)[i] z^(i). Then,$\begin{matrix}\begin{matrix}{t = {\sum\limits_{i = 0}^{n - 1}{l\quad p_{i}w_{i}}}} \\{= {{\sum\limits_{i = 0}^{n - 1}{l\quad p_{i}{\sum\limits_{j = 0}^{n - 1}z^{i + j}}}} = {\sum\limits_{j = 0}^{n - 1}{\sum\limits_{i = 0}^{n - 1}{l\quad p_{i}z^{i + j}}}}}} \\{= {\sum\limits_{j = 0}^{n - 1}{\sum\limits_{i = 0}^{n}{{h\lbrack i\rbrack}{z^{i + j}.}}}}}\end{matrix} & (26)\end{matrix}$

[0149] Because z_(imin+imax)=z^(2n−1), t is a 2n-word polynomial. Byusing the change of variables k=i+j and l=i, the following can beobtained:

t=Σ_(k=imin+jmin) ^(imaz+jmaz)

Σ_(l=max(imin,k−jmax)) ^(min(k−jmin,imax)h[l]z) ^(k)  (27)

[0150] where i_(min), j_(min), i_(max), j_(max) are the minimum andmaximum values of i and j variables. Because i_(min)=0, j_(min)=0,i_(max)=n, j_(max=n−)1, $\begin{matrix}{t = {\sum\limits_{k = 0}^{{2n} - 1}\quad {\sum\limits_{l = {\max {({0,{k - n + 1}})}}}^{\min {({k,n})}}\quad {{h(l)}{z^{k}.}}}}} & (28)\end{matrix}$

[0151] Note that t[k], the kth word of t, is the coefficient of the termz^(k) above. Then, $\begin{matrix}{{{t\lbrack k\rbrack} = {\sum\limits_{l = {\max {({0,{k - n + 1}})}}}^{\min {({k,n})}}\quad {h(l)}}},{{{for}\quad 0} \leq k \leq {{2n} - 1}},} & (29)\end{matrix}$

[0152] or equivalently,

t[k]=Σ_(l=0) ^(k)h[l],

for 0≦k ≦n−1,

t[k]=Σ_(l=k−n+l) ^(n)h[l],

for n≦k≦2n−1.  (30)

[0153] We can rewrite the equations above as follows:

t[k]=h[k]+Σ_(l=0) ^(k−1) h[l],

for 0≦k≦n−1,

[0154] and

t[k]=h[k−n+1]+Σ_(l=k−n+2) ^(n) h[l],

for n ≦k≦2n−1.  (31)

[0155] For k=i, l=j, the equations above yields the difference equationsin Equation (24).

[0156] Corollary : Let lp_(i) and w_(i) for i=0,1, . . . , n−m−1 denotea set of leaf-products and their weights respectively such that,$\begin{matrix}{{w_{i} = {z^{m}{\sum\limits_{j = 0}^{n - m - 1}\quad z^{i + j}}}},{{{for}\quad i} = 0},1,\quad \ldots \quad,{n - m - 1}} & (32)\end{matrix}$

[0157] Then, t=Σ_(i=0) ^(n−m−1) lp_(i)w_(i) is a (2n−m)-word polynomialand can be computed from the leaf-products in the following two steps:

[0158] 1. Compute the (n−m+1)-word polynomial h from the words of lpi'sas follows:

h[0]=lp₀[0],

h[i]=lp _(i)[0]+lp _(i−1)[1],

for i=1, . . . , n−m−1,

[0159] and

h[n−m]=lp _(n−m−1)[1].  (33)

[0160] 2. Compute the words of t from the words of h as follows:

t[i]=0,

0≦i<m,

t[i]=h[i−m],

i=m,

t[i]=t[i−1]+h[i−m],

m<i≦n−1,

t[i]=h[i−n+1],

i=2n−m−1,

t[i]=t[i+1]+h[i−n+1],

n≦i<2n−m−1.  

[0161] The proof of the corollary proceeds as follows. The weighted sumΣ_(i=0) ^(n−m−1) lp_(i)w_(i) can be written as:

Σ_(i=0) ^(n−m−1) lp_(i)w_(i)=z^(m)

Σ_(i=0) ^(n−m−1) lp_(i)w_(i′,)

[0162] where w_(i)′=Σ_(j=0) ^(n−m−1) z^(i+j) for i=0,1, . . . , n−m−1.The w_(i)′ terms are in the form given in Equation (22), except that n−mis substituted for n. Thus, the weighted sum Σ_(i=0) ^(n−m−1)lp_(i)w_(i)′ can be computed as shown in Proposition 2. However, n−mmust be substituted for n in the equations given in this proposition.After these substitutions, Equation (23) becomes Equation (33), andEquation (24) becomes

t[i]=h[i],

i=0,

t[i]=t[i−1]+h[i],

0<i ≦n−m−1,

t[i]=h[i−n+m+1],

i=2n−2m−1,

t[i]=t[i+1]+h[i−n+m+1],

n−m≦i<2n−2m−1.  (35)

[0163] The above equation provides that t=Σ_(i=0) ^(n−m−1) lp_(i)w_(i)′. However, the desired equation is t=Σi=0 ^(n−m−1) lp_(i)w_(i).Thus, t must be multiplied by z^(m) to obtain the final result. Forthis, the index of every word of t is increased by m in the aboveequation. That is, t[index] is replaced with t[index+m]. This shift inthe array representation is the equivalent of multiplying by z^(m).Also, zeros are inserted into the first m word. After the change ofvariable i=i+m and some rearrangement, Equation (34) can be obtained.

[0164]FIG. 5 is a flowchart showing generally how the nonrecursivealgorithms operate. As shown by the dashed l_(i) nes, the flowchart ofFIG. 5 corresponds generally to process block 416 of FIG. 1.

[0165] At process block 510, the subproduct to be calculated isdecomposed into a weighted sum of subproducts having one-word inputs.This decomposition may proceed, for instance, in the manner describedabove for finding the value and respective weights of the leaf-productsfrom the corresponding recursion tree. At process block 512, algebraicsubstitutions are performed to identify pairs of identical subproducts.These redundant subproducts are then removed from the weighted sum. Thepairs of redundant subproducts can be removed because their sum is zeroin GF(2^(m)), thereby reducing the number of XOR operations that need tobe performed to obtain the relevant subproduct. At process block 514,subproducts having the form described above in Proposition 2 areidentified and grouped so that they can be efficiently calculated usingthe described method. At process block 516, a weighted sum according toProposition 2 is calculated, thereby producing a partial result of thesubproduct. As shown in Equation (24), this weighted sum can be obtainedusing previously calculated intermediate values (e.g., t[i−1] andt[i+1]), which may be stored once they are calculated. This procedure ofstoring and reusing intermediate values also reduces the number of XORoperations that need to be performed in order to obtain the desiredproduct. At process block 518, the remaining subproducts having one-wordinputs are calculated and used to update the partial result. The updatedpartial result produces the final product, which is returned at processblock 520.

[0166] Although FIG. 5 shows a particular ordering of the processes, theorder may vary from embodiment to embodiment. Moreover, the actualimplementation of the procedure shown in FIG. 5 may only perform certainones of the processes. For instance, the actual implementation maycomprise code that has already taken into account the pairs of redundantsubproducts and removed them from the calculation. Similarly, thesubproducts having the special form may already be identified such thatthe first step performed by the implementation is the calculation of theweighted sum of the subproducts. Further, in certain otherimplementations, the intermediate values are not stored, but arerecalculated.

[0167] Exemplary nonrecursive algorithms that may be used to calculatesubproducts having 2-6-word operands are described below.

[0168] Function KOA2

[0169] Let a and b be 2-word polynomials, and their product be t=ab. Theproduct t can be decomposed into the leaf-products, as described above.These leaf-products and their weights are: i Leaf-Products (lp_(i))Weights (w_(i)) 0 a[0] b[0] 1 + z 1 a[1] b[1] z + z² 2 (a[0] + a[1])(b[0] + b[1]) z

[0170] Each row above is indexed with i. The ith row contains the ithleaf-product denoted by lp_(i), and its weight is denoted by w_(i).

[0171] The product t can be computed as the weighted sum of theleaf-products as in the Equation (15): $\begin{matrix}{{t = {{a\quad b} = {\sum\limits_{i = 1}^{2}\quad {l\quad p_{i}w_{i}}}}},} & (36)\end{matrix}$

[0172] The first two weights can be written as Σ_(j=0) ^(n−1) z^(i+j)for i=0, . . . , n−1 where n=2. These weights are in the form mentionedin Proposition 2. Thus, the weighted sum of the first two leaf-productslp₀ and lp₁ can be computed efficiently, as described in theproposition. But, this weighted sum is only a partial result for t. Toobtain t, this partial result must be added to the weighted sum of theremaining leaf-products in the list above (i.e., to (a[0]+a[1])(b[0]+b[1]) z).

[0173] The function below performs the multiplication of 2-wordpolynomials by computing the weighted sum of the leaf-products. Inputs:a, b : 2-word polynomials Output: t : 4-word polynomial Temporary:lp_(i) : 2-word polynomials /* Compute the first two leaf-products */lp_(i) := MULGF2(a[i], b[i]) i = 0, 1 /* Compute h from (23) for n = 2*/ h[0] := lp₀[0] h[1] := lp₁[0] + lp₀[1] h[2] := lp₁[1] /* Compute thepartial result from (24) for n = 2 */ t[0] := h[0] t[1] := t[0] + h[1]t[3] := h[2] t[2] := t[3] + h[1] /* Compute the remaining leaf-products*/ lp₃:= MULGF2(a[0] + a[1], b[0] + b[1]) /* Update t with the weightedsum of the remaining leaf-products */ t[1] := t[1] + lp₃[0] t[2] :=t[2] + lp₃[1]

[0174] The function above needs 7 word-additions (XOR) and 3word-multiplications (MULGF2).

[0175] Function KOA3

[0176] Let a and b be 3-word polynomials, and their product be t=ab. Theproduct t can be decomposed into the leaf-products, as described above.As a result of this decomposition, the following leaf-products andweights are obtained: i Leaf-Products (lp_(i)) Weights (w_(i)) 0 a[0]b[0] 1 + z + z² + z³ 1 a[1] b[1] z + z² + z³ + z⁴ 2 a[1] b[1] z³ + z⁴ 3a[2] b[2] z² + z⁴ 4 (a[0] + a[1]) (b[0] + b[1]) z + z³ 5 (a[0] + a[2])(b[0] + b[2]) z² + z³ 6 (a[0] + a[1] + a[2]) (a[0] + b[1] + b[2]) z³

[0177] Each row above is indexed with i. The ith row contains the ithleaf-product denoted by lp_(i), and its weight denoted by w_(i). Notethat two of the leaf-products are redundantly the same.

[0178] The value of t can be computed as the weighted sum of theleaf-products as in (15). $\begin{matrix}{t = {{a\quad b} = {\sum\limits_{i = 1}^{6}\quad {l\quad {p_{i} \cdot w_{i}}}}}} & (37)\end{matrix}$

[0179] But this does not provide any advantage in terms of computationalcomplexity. Thus, the value of t can be expressed with a modified set ofleaf-products and weights so that an efficient scheme for computing theweighted sum can be found. For this purpose, the following substitutionscan be made for lp₆=(a[0]+a[1]+a[2])(b[0]+b[1]+b[2]): $\begin{matrix}\begin{matrix}{\begin{matrix}\left( {{a\lbrack 0\rbrack} + {a\lbrack 1\rbrack} + {a\lbrack 2\rbrack}} \right) \\\left( {{b\lbrack 0\rbrack} + {b\lbrack 1\rbrack} + {b\lbrack 2\rbrack}} \right)\end{matrix} = {{\left( {{a\lbrack 0\rbrack} + {a\lbrack 1\rbrack}} \right)\left( {{b\lbrack 0\rbrack} + {b\lbrack 1\rbrack}} \right)} + {{a\lbrack 0\rbrack}{b\lbrack 0\rbrack}} +}} \\{{{\left( {{a\lbrack 0\rbrack} + {a\lbrack 2\rbrack}} \right)\left( {{b\lbrack 0\rbrack} + {b\lbrack 2\rbrack}} \right)} + {{a\lbrack 1\rbrack}{b\lbrack 1\rbrack}} +}} \\{{{\left( {{a\lbrack 1\rbrack} + {a\lbrack 2\rbrack}} \right)\left( {{b\lbrack 1\rbrack} + {b\lbrack 2\rbrack}} \right)} + {{a\lbrack 2\rbrack}{b\lbrack 2\rbrack}}}}\end{matrix} & (38)\end{matrix}$

[0180] The equality above always holds for arbitrary polynomials overGF(2^(m)) like a[0, a[1], a[2], b[0], b[1], b[2]. After thesubstitution, the result is again a weighted sum. Every distinct productin the result is defined as a leaf-product. Let lp_(i)′ denote aparticular one of them. This product can appear more than once in theresult with different weights. These different weights can be added intoa single weight and denoted by w_(i)′: i Leaf-Products (lp′_(i)) Weights(w′_(i)) 0 a[0] b[0] 1 + z + z² 1 a[1] b[1] z + z² + z³ 2 a[2] b[2] z² +z³ + z⁴ 3 (a[0] + a[1]) (b[0] + b[1]) z 4 (a[0] + a[2]) (b[0] + b[2]) z²5 (a[1] + a[2]) (b[1] + b[2]) z³

[0181] As before, each row above contains a leaf-product and its weight,and the corresponding weighted sum gives t: $\begin{matrix}{t = {{a\quad b} = {\sum\limits_{i = 0}^{5}\quad {l\quad {p_{i} \cdot w_{i}}}}}} & (39)\end{matrix}$

[0182] The weighted sum of the first three leaf-products in the listabove can be written as follows:

a[0]b[0](1+z+z ²)+a[1]b[1](z+z ²+z³)+a[2]b[2](z ² +z ³ +z ⁴)  (40)

[0183] The weights above can be written as Σ_(j=0) ^(n−1)z^(i+j for i=)0, . . . , n−1 where n=3. These weights are in the formmentioned in Proposition 2, allowing the weighted sum of the first threeleaf-products to be computed efficiently as described in theproposition. But, this weighted sum is a partial result for t. To obtaint, this partial result must be added to the weighted sum of theremaining leaf-products in the list above. This weighted sum is:

(a[0]+a[1]) (b[0]b1])z+(a[0]+a[2]) (b[2])z²+(a[1]+a[2]) (b[1]+b ^([2)])z³  (41)

[0184] The function below performs the multiplication of 3-wordpolynomials by computing the weighted sum of the leaf-products: Inputs:a, b : 3-word polynomials Output: t : 6-word polynomial Temporary:lp_(i) : 2-word polynomials /* Compute the first three leaf-products */lp_(i) := MULGF2(a[i], b[i]) i = 0, ..., 2 /* Compute h from (23) for n= 3 */ h[0] := lp₀[0] h[i] := lp_(i)[0] + lp_(i−l)[1] i = 1, ..., 2 h[3]:= lp₂[1] /* Compute the partial result from (24) for n = 3 */ t[0] :=h[0] t[i] := t[i − 1] + h[i] i = 1, 2 t[5] := h[3] t[i] := t[i + 1] +h[i − 2] i = 4, 3 /* Compute the remaining leaf-products */ lp₃ :=MULGF2(a[0] + a[1], b[0] + b[1]) lp₄ := MULGF2(a[1] + a[2], b[1] + b[2])lp₅ := MULGF2(a[0] + a[2], b[0] + b[2]) /* Update t with the weightedsum of the remaining leaf-products in (41) */ t[1] := t[1] + lp₃[0] t[2]:= t[2] + lp₃[1] + lp₅[0] t[3] := t[3] + lp₅[0] + lp₅[1] t[4] := t[4] +lp₄[1]

[0185] The function above needs 18 word-additions (XOR) and 6word-multiplications (MULGF2).

[0186] Function KOA4

[0187] Let a and b be 4-word polynomials, and their product be t=ab. Theproduct t can be decomposed into the leaf-products, as described above.These leaf-products and their weights are given below: i Leaf-Products(lp_(i)) Weights (w_(i)) 0 a[0] b[0] 1 + z + z² + z³ 1 a[1] b[1] z +z² + z³ + z⁴ 2 a[2] b[2] z² + z³ + z⁴ + z⁵ 3 a[3] b[3] z³ + z⁴ + z⁵ + z⁶4 (a[0] + a[2]) (b[0] + b[2]) z² + z³ 5 (a[1] + a[3]) (b[1] + b[3]) z³ +z⁴ 6 (a[0] + a[1]) (b[0] + b[1]) z² + z⁴ 7 (a[2] + a[3]) (b[2] + b[3])z³ + z⁵ 8 (a[0] + a[1] + a[2] + a[3]) (b[0] + z⁴ b[1] + b[2] + b[3])

[0188] Each row above is indexed with i. The ith row contains the ithleaf-product denoted by lp_(i) and its weight denoted by w_(i).

[0189] The value of t can be computed as the weighted sum of theleaf-products as in Equation (15). $\begin{matrix}{t = {{ab} = {\sum\limits_{i = 0}^{8}\quad {{lp}_{i}\omega_{i}}}}} & (42)\end{matrix}$

[0190] The first four weights can be written as Σ_(j=0) ^(n−1) for i=0,. . . , n−1 where n=4. Also, the fourth and the fifth weights can bewritten as z^(m) Σ_(j=0) ^(n−m−1) z^(i+j) for i=0, . . . , n−m−1 wheren=4 and m=2. These weights are in the forms mentioned in Proposition 2.Thus, the weighted sum of the first six leaf-products lp₀, lp₁, lp₂,lp₃, lp₄, and lp₅ can be computed efficiently, as described in theproposition. But, this weighted sum is only a partial result for t. Toobtain t, this partial result must be added to the weighted sum of theremaining leaf-products in the list above.

[0191] The function below performs the multiplication of 4-wordpolynomials by computing the weighted sum of the leaf-products. Inputs:a, b : 4-word polynomials Output: t : 8-word polynomial Temporary:lp_(i) : 2-word polynomials /* Compute the first four leaf-products */lp_(i) := MULGF2(a[i], b[i]) i = 0, ..., 3 /* Compute h from (23) for n= 4 */ h[0] := lp₀[0] h[i] := lp_(i)[0] + lp_(i−l)[1] i = 1, ..., 3 h[4]:= lp₃[1] /* Compute the fourth and fifth leaf-products */ lp₄ :=MULGF2(a[0] + a[2], b[0] + b[2]) lp₅ := MULGF2(a[1] + a[3], b[1] + b[3])/* Compute h′ from (33) for n = 4 and m = 2 */ h′[0] := lp₄[0] h′[1] :=lp₅[0] + lp₄[1] h′[2] := lp₅[1] /* Compute the partial result from (24)and (34) for n = 4 and m = 2 */ t[0] := h[0] t[i] := t[i − 1] + h[i] i =1 t[i] := t[i − 1] + h[i] + h′[i − 2] i = 2, 3 t[7] := h[4] t[i] :=t[i + 1] + h[i − 3] i = 6 t[i] := t[i + 1] + h[i − 3] + h′[i − 3] i = 5,4 /* Compute the remaining leaf-products */ lp₆ := MULGF2(a[0] + a[1],b[0] + b[1]) lp₇ := MULGF2(a[2] + a[3], b[2] + b[3]) lp₈ :=MULGF2(a[0] + a[1] + a[2] + a[3], b[0] + b[1] + b[2] + b[3]) /* Update twith the weighted sum of the remaining leaf-products in (41) */ t[1] :=t[1] + lp₆[0] t[2] := t[2] + lp₆[1] t[3] := t[3] + lp₈[0] + lp₆[0] +lp₇[0] t[4] := t[4] + lp₈[1] + lp₆[1] + lp₇[1] t[5] := t[5] + lp₇[0]t[6] := t[6] + lp₇[1]

[0192] The function above needs 38 word-additions (XOR) and 9word-multiplications (MULGF2). Note that, when lp₆, lp₇, and lp₈, arecomputed, 4 XOR operations can be gained at the expense of additionalstorage.

[0193] Nonrecursive Functions to Multiply Larger Polynomials

[0194] In the previous sections, the functions KOA2, KOA3 and KOA4 werepresented for multiplying 2-, 3-, and 4-word polynomials. Thesefunctions each compute a weighted sum of leaf-products that yields theoutput product.

[0195] The leaf-products and their weights are obtained by decomposingthe output products into the leaf-products as described above.Sometimes, however, the leaf-products can be redundantly the same andtheir weighted sum can be simplified by algebraic manipulations. Anexample of this manipulation was shown with respect to KOA3.

[0196] For the multiplication of the larger polynomials, the same methodcan be continued to obtain their leaf-products and weights. With theincreasing polynomial size, however, removing the redundancies andsimplifying the weighted sum of leaf-products becomes more difficult. Toovercome this problem, the leaf-products and the weights for themultiplication of the larger polynomials can be derived from theleaf-products and the weights derived for the multiplication of thesmaller polynomials. Every time a new set of of the leaf-products andthe weights is obtained, they can be optimized. In this fashion, eachset of the leaf-products and the weights can be derived from the alreadyoptimized leaf-products and the weights. Therefore, only a minor amountof optimization is required in each derivation. This process is morefully explained in the following section.

[0197] Deriving Leaf-Products and Weights for the Multiplication ofn-Word Polynomials and for the Multiplication of (n−1)-Word Polynomials

[0198] Let n be an even number. Assume that the product of n/2-wordpolynomials can be expressed by the following weighted sum:$\begin{matrix}{\sum\limits_{\forall i}^{\quad}\quad {{LeafProduct}_{i}{{Weight}_{i}.}}} & (43)\end{matrix}$

[0199] The leaf-products and the weights above are derived for themultiplication of n/2-word polynomials. From them, the leaf-products andthe weights for the multiplication of n and (n−1)-word polynomials canbe derived.

[0200] Let t be the product of the n-word polynomials a and b. Theproduct t can be decomposed into three half-sized subproducts accordingto the following equation (which is similar to equation (14) above):

t=low (1+z ^(n/2))+mid z ^(n/2)+high (z ^(n/2) +z ^(n))  (44)

[0201] Note that low, mid and high are the product of n/2-wordpolynomials:

low=a_(L)b_(L)

mid=(a _(L) +a _(H))(b _(L) +b _(H))

high=(a_(H) b_(H))  (45)

[0202] where n/2-word polynomials are:

a _(L) =a[0#n/2]

b _(L) =b[0#n/2]

a _(H) =a[n/2#n/2]

b _(H) =b[n/2#n/2]  (46)

[0203] These terms can be expressed in the weighted sum of Equation (43)as follows: $\begin{matrix}\begin{matrix}\begin{matrix}{{low} = {\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {a_{L},b_{L}} \right)}{Weight}_{i}}}} \\{{mid} = {\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {{a_{L} + a_{H}},{b_{L} + b_{H}}} \right)}{Weight}_{i}}}}\end{matrix} \\{{high} = {\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {a_{H},b_{H}} \right)}{Weight}_{i}}}}\end{matrix} & (47)\end{matrix}$

[0204] where the LeafProduct_(i)'s are defined from the words ofn/2-word polynomials.

[0205] Note that the product of the n-word polynomials, t, can beexpressed with the following weighted sum: $\begin{matrix}\begin{matrix}{t = {{\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {a_{L},b_{L}} \right)}{{Weight}_{i}\left( {1 + z^{n/2}} \right)}}} +}} \\{{{\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {{a_{L} + a_{H}},{b_{L} + b_{H}}} \right)}{Weight}_{i}z^{n/2}}} +}} \\{{\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {a_{H},b_{H}} \right)}{{Weight}_{i}\left( {z^{n/2} + z^{n}} \right)}}}}\end{matrix} & (48)\end{matrix}$

[0206] This weighted sum yields the product of the (n−1)-wordpolynomials, where the last words of a and b are zero (i.e., a[n−1]=0and b[n−1]=0).

[0207] Then, the product of the (n−1)-word polynomials can be given bythe following weighted sum: $\begin{matrix}\begin{matrix}{t = {{\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {a_{L},b_{L}} \right)}{{Weight}_{i}\left( {1 + z^{n/2}} \right)}}} +}} \\{{{\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {{a_{L} + a_{H}^{\prime}},{b_{L} + b_{H}^{\prime}}} \right)}{Weight}_{i}z^{n/2}}} +}} \\{{\sum\limits_{\forall i}^{\quad}\quad {{{LeafProduct}_{i}\left( {a_{H}^{\prime},b_{H}^{\prime}} \right)}{{Weight}_{i}\left( {z^{n/2} + z^{n}} \right)}}}}\end{matrix} & (49)\end{matrix}$

[0208] where a_(H)′=a[n/2#n/2−1] and b_(H)′=b[n/2#n/2−1]. In summary,the leaf-products and the weights for the product of the n-wordpolynomials can be written as follows: Leaf-Products Weights$\sum\limits_{\forall\quad i}$

LeafProduct_(i)(a_(L), b_(L)) Weight_(i)(1 + z^(n/2))$\sum\limits_{\forall\quad i}$

LeafProduct_(i)(a_(L) + a_(H), b_(L) + b_(H)) Weight_(i)z^(n/2)$\sum\limits_{\forall\quad i}$

LeafProduct_(i)(a_(H), b_(H)) Weight_(i)(z^(n/2) + z^(n))

[0209] Similarly, the leaf-products and weights for the product of the(n−1)-word polynomials can be written as follows: Leaf-Products Weights$\sum\limits_{\forall\quad i}$

LeafProduct_(i)(a_(L), b_(L)) Weight_(i)(1 + z^(n/2))$\sum\limits_{\forall\quad i}$

LeafProduct_(i)(a_(L)+ a_(H)′, b_(L) + b_(H)′) Weight_(i)z^(n/2)$\sum\limits_{\forall\quad i}$

LeafProduct_(i)(a_(H)′, b_(H)′) Weight_(i)(z^(n/2) + z^(n))

[0210] Optimizing Leaf-products and Weights

[0211] In general, in one exemplary embodiment, optimizing theleaf-products and weights means that: (1) no leaf-products areredundantly the same; and (2) the weights are in the form mentioned inProposition 2 and its corollary. In this sense, the leaf-products andthe weight which are derived for the multiplication of n-wordpolynomials in the previous section are optimum so long asLeafProduct_(i) and Weight_(i) are optimum. Further, the leaf-productsand the weights which are derived for the multiplication of (n−1)-wordpolynomials are not optimum, even if LeafProduct_(i) and Weight_(i) areoptimum.

[0212] This can be explained as follows. The leaf-products derived forthe multiplication of (n−1)- and n-word polynomials are the same, exceptthat a[n−1]=0 is substituted in the former. The leaf-products are thesum of the words of the inputs a and b. If two leaf-products are the sumof the same words and differ in only a[n−1], there will be no problemfor n-word polynomials. However, these two leaf-products look alike for(n−1)-word polynomials. That is, the leaf-products are redundantly thesame.

[0213] According to the criteria recited above, Weight_(i) are optimumif${{Weight}_{i} = {{\sum\limits_{j = 0}^{{n/2} - 1}\quad {z^{i + j}{for}\quad i}} = 0}},\cdots \quad,{{n/2} - 1.}$

[0214] Three new sets of weights were derived, which can be rewrittenas:

(1+z^(n/2)) Σ_(j=0) ^(n/2−1) z^(i1+j)

for i1=0, . . . . , n/2−1

z^(n/2)Σ_(j=0) ^(n/2−1)z^(i2+j)

for i2=0, . . . , n/2−1

(z^(n/2)+z^(n)) Σ_(j=0) ^(n/2−1) z^(i3+j)

for i3=0, . . . ,n/2−1

[0215] Note that, (1+z^(n/2))Σ_(j=0) ^(n/2−1) z^(i1+j+(z) ^(n/2)+z^(n))Σ_(j=0) ^(n/2−1) z^(i3+j)=Σ_(j=0) ^(n/2−1) z^(i+j) i=i1,i3+n/2 Thus,these weights can be written as:

Σ_(j=0) ^(n−1)z^(i+j)

for i=0, . . . , n−1

z^(n/2)Σ_(j=0) ^(n/2−1)z^(i+j)

for i=0, . . . , n/2−1

[0216] These weights are in the forms mentioned in Proposition 8 and inits corollary, and thus are optimum. Thus, the leaf-products and theweights derived for n-word polynomials may not need to be optimized whenthe leaf-products and weights derived for (n/2)-word polynomials havealready been optimized. Moreover, the leaf-products and the weightsderived for (n−1)-word polynomials may need to be optimized.

[0217] Function KOA5

[0218] Let a and b be 5-word polynomials, and their product be t=ab. Theproduct t can be decomposed into leaf-products in the manner describedabove. The product t may also be expressed in accordance with thealgebraic manipulations described in the previous section. First, zerois substituted for the sixth words a[5) and b[5] in the leaf-product,because the polynomials, which we multiply using the KOA5 function, areof five words, not six. At the end, the following leaf-products andweights are obtained: i Leaf-Products (lp_(i)) Weights (w_(i)) 0 a[0]b[0] 1 + z + z² + z³ + z⁴ + z⁵ 1 a[1] b[1] z + z² + z³ + z⁴ + z⁵ + z⁶ 2a[2] b[2] z² + z³ + z⁴ + z⁵ + z⁶ + z⁷ 3 a[3] b[3] z³ + z⁴ + z⁵ + z⁶ +z⁷ + z⁸ 4 a[4] b[4] z⁴ + z⁵ + z⁶ + z⁷ + z⁸ + z⁹ 5 0 z⁵ + z⁶ + z⁷ + z⁸ +z⁹ + z¹⁰ 6 (a[0] + a[1]) (b[0] + b[1]) z + z⁴ 7 (a[0] + a[2]) (b[0] +b[2]) z² + z⁵ 8 (a[1] + a[3]) (b[1] + b[3]) z³ + z⁶ 9 (a[3] + a[4])(b[3] + b[4]) z⁴ + z⁷ 10 (a[3] + 0) (b[3] + 0) z⁵ + z⁸ 11 (a[4] + 0)(b[4] + 0) z⁶ + z⁹ 12 (a[0] + a[3]) (b[0] + b[3]) z³ + z⁴ + z⁵ 13(a[1] + a[4]) (b[1] + b[4]) z⁴ + z⁵ + z⁶ 14 (a[2] + 0) (b[2] + 0) z⁵ +z⁶ + z⁷ 15 (a[0] + a[1] + a[3] + a[4]) (b[0] + b[1] + b[3] + b[4]) z⁴ 16(a([0] + a[2] + a[3] + 0) (b[0] + b[2] + b[3] + 0) z⁵ 17 (a[1] + a[3] +a[4] + 0]) (b[1] + b[3] + b[4] + b[0]) z⁶

[0219] Each row above is indexed with i. The ith row contains the ithleaf-product denoted by lp_(i) and its weight denoted by w_(i). Thevalue of t can be computed as the weighted sum of the leaf-products asin Equation (15). $\begin{matrix}{t = {{ab} = {\sum\limits_{i = 0}^{17}\quad {{lp}_{i} \cdot \omega_{i}}}}} & (50)\end{matrix}$

[0220] However, this does not provide any advantage in terms ofcomputational complexity. Instead, the value of t can be expressed witha modified set of leaf-products and weights so that an efficient schemefor computing the weighted sum can be found. For this purpose, thefollowing substitutions can be made forlp₁₆=(a[0]+a[2]+a[3])(b[0]+b[2]+b[3]) andlp₁₇=(a[1]+a[3]+a[4])(b[1]+b[3]+b[4]): $\begin{matrix}\begin{matrix}{\begin{matrix}\left( {{a\lbrack 0\rbrack} + {a\lbrack 2\rbrack} + {a\lbrack 3\rbrack}} \right) \\\left( {{b\lbrack 0\rbrack} + {b\lbrack 2\rbrack} + {b\lbrack 3\rbrack}} \right)\end{matrix} = {{\left( {{a\lbrack 0\rbrack} + {a\lbrack 2\rbrack}} \right)\left( {{b\lbrack 0\rbrack} + {b\lbrack 2\rbrack}} \right)} + {{a\lbrack 0\rbrack}{b\lbrack 0\rbrack}} +}} \\{{{\left( {{a\lbrack 0\rbrack} + {a\lbrack 3\rbrack}} \right)\left( {{b\lbrack 0\rbrack} + {b\lbrack 3\rbrack}} \right)} + {{a\lbrack 2\rbrack}{b\lbrack 2\rbrack}} +}} \\{{{\left( {{a\lbrack 2\rbrack} + {a\lbrack 3\rbrack}} \right)\left( {{b\lbrack 2\rbrack} + {b\lbrack 3\rbrack}} \right)} + {{a\lbrack 3\rbrack}{b\lbrack 3\rbrack}}}}\end{matrix} & (51) \\\begin{matrix}{\begin{matrix}\left( {{a\lbrack 1\rbrack} + {a\lbrack 3\rbrack} + {a\lbrack 4\rbrack}} \right) \\\left( {{b\lbrack 1\rbrack} + {b\lbrack 3\rbrack} + {b\lbrack 4\rbrack}} \right)\end{matrix} = {{\left( {{a\lbrack 1\rbrack} + {a\lbrack 3\rbrack}} \right)\left( {{b\lbrack 1\rbrack} + {b\lbrack 3\rbrack}} \right)} + {{a\lbrack 1\rbrack}{b\lbrack 1\rbrack}} +}} \\{{{\left( {{a\lbrack 1\rbrack} + {a\lbrack 4\rbrack}} \right)\left( {{b\lbrack 1\rbrack} + {b\lbrack 4\rbrack}} \right)} + {{a\lbrack 3\rbrack}{b\lbrack 3\rbrack}} +}} \\{{{\left( {{a\lbrack 3\rbrack} + {a\lbrack 4\rbrack}} \right)\left( {{b\lbrack 3\rbrack} + {b\lbrack 4\rbrack}} \right)} + {{a\lbrack 4\rbrack}{b\lbrack 4\rbrack}}}}\end{matrix} & (52)\end{matrix}$

[0221] After the substitution, the result is again a weighted sum. Everydistinct product in the result is defined as a leaf-product. Let lp_(i)′denote a particular one of them. This product can appear more than oncein the result with different weights. Let these different weights beadded into a single weight and denoted as w_(i)′. The new leaf-productsand weights become: i Leaf-Products (lp′_(i)) Weights (w′_(i)) 0 a[0]b[0] 1 + z + z² + z³ + z⁴ 1 a[1] b[1] z + z² + z³ + z⁴ + z⁵ 2 a[2] b[2]z² + z³ + z⁴ + z⁵ + z⁶ 3 a[3] b[3] z³ + z⁴ + z⁵ + z⁶ + z⁷ 4 a[4] b[4]z⁴ + z⁵ + z⁶ + z⁷ + z⁸ 5 (a[0] + a[3]) (b[0] + b[3]) z³ + z⁴ 6 (a[1] +a[4]) (b[1] + b[4]) z⁴ + z⁵ 7 (a[0] + a[1]) (b[0] + b[1]) z + z⁴ 8(a[0] + a[2]) (b[0] + b[2]) z² 9 (a[1] + a[2]) (b[1] + b[2]) z³ 10(a[2] + a[3]) (b[2] + b[3]) z⁵ 11 (a[2] + a[4]) (b[2] + b[4]) z⁶ 12(a[3] + a[4]) (b[3] + b[4]) z⁴ + z⁷ 13 (a[0] + a[1] + a[3] + a[4])(b[0] + b[1] + z⁴ b[3] + b[4])

[0222] The function below performs the multiplication of 5-wordpolynomials, by computing the weighted sum of the leaf-products. Inputs:a, b : 5-word polynomials Output: t : 10-word polynomial Temporary:lp_(i) : 2-word polynomials /* Compute the first four leaf-products */lp_(i) := MULGF2(a[i], b[i]) i = 0, ..., 4 /* Compute h from (23) for n= 5 */ h[0] := lp₀[0] h[i] := lp_(i)[0] + lp_(i−l)[1] i = 1, ..., 4 h[5]:= lp₄[1] /* Compute the fourth and fifth leaf-products */ lp₅ :=MULGF2(a[0] + a[3], b[0] + b[3]) lp₆ := MULGF2(a[1] + a[4], b[1] + b[4])/* Compute h′ from (33) for n = 5 and m = 3 */ h′[0] := lp₅[0] h′[1] :=lp₆[0] + lp₅[1] h′[2] := lp₆[1] /* Compute the partial result from (24)and (34) for n = 5 and m = 3 */ t[0] := h[0] t[i] := t[i − 1] + h[i] i =1, 2 t[i] := t[i − 1] + h[i] + h′[i − 3] i = 3, 4 t[9] := h[5] t[i] :=t[i + 1] + h[i − 4] i = 8, 7 t[i] := t[i + 1] + h[i − 4] + h′[i − 4] i =6, 5 /* Compute the remaining leaf-products */ lp₇ := MULGF2(a[0] +a[1], b[0] + b[1]) lp₈ := MULGF2(a[0] + a[2], b[0] + b[2]) lp₉ :=MULGF2(a[1] + a[2], b[1] + b[2]) lp₁₀ := MULGF2(a[2] + a[3], b[2] +b[3]) lp₁₁ := MULGF2(a[2] + a[4], b[2] + b[4]) lp₁₂ := MULGF2(a[3] +a[4], b[3] + b[4]) lp₁₃ := MULGF2(a[0] + a[1] + a[3] + a[4], b[0] +b[1] + b[3] + b[4]) /* Update t with the weighted sum of the remainingleaf- products */ t[1] := t[1] + lp₇[0] t[2] := t[2] + lp₇[1] + lp₈[0]t[3] := t[3] + lp₉[0] + lp₈[1] t[4] := t[4] + lp₉[1] + lp₁₃[0] +lp₇[0] + lp₁₂[0] t[5] := t[5] + lp₁₀[0] + lp₁₃[1] + lp₇[1] + lp₁₂[1]t[6] := t[6] + lp₁₀[1] + lp₁₁[0] t[7] := t[7] + lp₁₂[0] + lp₁₁[1] t[8]:= t[8] + lp₁₂[1]

[0223] The function above needs 57 word-additions (XOR) and 14word-multiplications (MULGF2). Note that when lp₇, lp₁₂, and lp₁₃ arecomputed, 4 XOR operations are gained at the expense of additionalstorage.

[0224] Function KOA6

[0225] Let a and b be 6-word polynomials, and their product be t=ab. Thet can be decomposed into the leaf-products as follows: i Leaf-Products(lp_(i)) Weights (w_(i)) 0 a[0] b[0] 1 + z + z² + z³ + z⁴ + z⁵ 1 a[1]b[1] z + z² + z³ + z⁴ + z⁵ + z⁶ 2 a[2] b[2] z² + z³ + z⁴ + z⁵ + z⁶ + z⁷3 a[3] b[3] z³ + z⁴ + z⁵ + z⁶ + z⁷ + z⁸ 4 a[4] b[4] z⁴ + z⁵ + z⁶ + z⁷ +z⁸ + z⁹ 5 a[5] b[5] z⁵ + z⁶ + z⁷ + z⁸ + z⁹ + z¹⁰ 6 (a[0] + a[1]) (b[0] +b[1]) z + z⁴ 7 (a[0] + a[2]) (b[0] + b[2]) z² + z⁵ 8 (a[1] + a[3])(b[1] + b[3]) z³ + z⁶ 9 (a[3] + a[4]) (b[3] + b[4]) z⁴ + z⁷ 10 (a[3] +a[5]) (b[3] + b[5]) z⁵ + z⁸ 11 (a[4] + a[5]) (b[4] + b[5]) z⁶ + z⁹ 12(a[0] + a[3]) (b[0] + b[3]) z³ + z⁴ + z⁵ 13 (a[1] + a[4]) (b[1] + b[4])z⁴ + z⁵ + z⁶ 14 (a[2] + a[5]) (b[2] + b[5]) z⁵ + z⁶ + z⁷ 15 (a[0] +a[1] + a[3] + a[4]) (b[0] + b[1] + b[3] + b[4]) z⁴ 16 (a[0] + a[2] +a[3] + a[5]) (b[0] + b[2] + b[3] + b[5]) z⁵ 17 (a[1] + a[3] + a[4] +a[5]) (b[1] + b[3] + b[4] + b[5]) z⁶

[0226] The function below performs the multiplication of 6-wordpolynomials, by computing the weighted sum of the leaf-products. Inputs:a, b : 6-word polynomials Output: t : 12-word polynomial Temporary:lp_(i) : 2-word polynomials /* Compute the first six leaf-products */lp_(i) := MULGF2(a[i], b[i]) i = 0, ..., 5 /* Compute h from (23) for n= 6 */ h′[0] := lp₀[0] h′[i] := lp_(i)[0] + lP_(i−l)[1] i = 1, ..., 5h′[6] := lp₅[1] /* Compute the 12th, 13th and 14th leaf-products */ lp₁₂:= MULGF2(a[0] + a[3], b[0] + b[3]) lp₁₃ := MULGF2(a[1] + a[4], b[1] +b[4]) lp₁₄ := MULGF2(a[2] + a[5], b[2] + b[5]) /* Compute h′ from (33)for n = 6 and m = 3 */ h′[0] := lp₁₂[0] h′[1] := lp₁₃[0] + lp₁₂[1] h′[2]:= lp₁₄[0] + lp₁₃[1] h′[3] := lp₁₄[1] /* Compute the partial result from(24) and (34) for n = 6 and m = 3 */ t[0] := h[0] t[i] := t[i − 1] +h[i] i = 1, 2 t[i] := t[i − 1] + h[i] + h′[i − 3] i = 3, 4, 5 t[11] :=h[6] t[i] := t[i + 1] + h[i − 5] i = 10, 9 t[i] := t[i + 1] + h[i − 5] +h′[i − 5] i = 8, 7, 6 /* Compute the remaining leaf-products */ lp₆ :=MULGF2(a[0] + a[1], b[0] + b[1]) lp₇ := MULGF2(a[0] + a[2], b[0] + b[2])lp₈ := MULGF2(a[1] + a[3], b[1] + b[3]) lp₉ := MULGF2(a[3] + a[4],b[3] + b[4]) lp₁₀ := MULGF2(a[3] + a[5], b[3] + b[5]) lp₁₁ :=MULGF2(a[4] + a[5], b[4] + b[5]) lp₁₅ := MULGF2(a[0] + a[1] + a[3] +a[4], b[0] + b[1] + b[3] + b[4]) lp₁₆ := MULGF2(a[0] + a[2] + a[3] +a[5], b[0] + b[2] + b[3] + b[5]) lp₁₇ := MULGF2(a[1] + a[3] + a[4] +a[5], b[1] + b[3] + b[4] + b[5]) /* Update t with the weighted sum ofthe remaining leaf- products */ t[1] := t[1] + lp₆[0] t[2] := t[2] +lp₆[1] + lp₇[0] t[3] := t[3] + lp₈[0] + lp₇[1] t[4] := t[4] + lp₈[1] +lp₉[0] + lp₆[0] + lp₁₅[0] t[5] := t[5] + lp₁₀[0] + lp₉[1] + lp₆[1] +lp₁₅[1] + lp₁₆[0] t[6] := t[6] + lp₁₀[1] + lp₁₁[0] + lp₈[0] + lp₁₇[0] +lp₁₆[1] t[7] := t[7] + lp₉[0] + lp₁₁[1] + lp₈[1] + lp₁₇[1] t[8] :=t[8] + lp₉[1] + lp₁₀[0] t[9] := t[9] + lp₁₁[0] + lp₁₀[1] t[10] :=t[10] + lp₁₁[1]

[0227] The function above needs 81 word-additions (XOR) and 18word-multiplications (MULGF2). Note that when the remainingleaf-products are computed and the result updated with their weightedsum, 9 XOR operations are gained. Additional storage, however, may beneeded to achieve this gain.

[0228] Performance Analysis

[0229] The performance of the disclosed GF(2^(m)) multiplication methodsmainly depend on the performance of the particular LKOA implemented. Thecost of the modulo reduction operation is typically less significant ifa trinomial or pentanomial is selected as the irreducible polynomial. Inthe following table, the number of XOR and MULGF2 operations required tomultiply polynomials having a size between 2 and 6 words using standardmultiplication, the KOA, and the LKOA described above is given.Polynomial Size n 2 3 4 5 6 XOR Standard 4 12 24 40 60 KOA 8 28 40 84108 LKOA 7 18 38 57 81 MULGF2 Standard 4 9 16 25 36 KOA 3 7 9 17 21 LKOA3 6 9 14 18

[0230] As seen in Table 6, the standard multiplication needs n² MULGF2operations to compute the partial products and needs 2n(n−1) XORoperations to combine these partial products. The number of XOR andMULGF2 operations required for the KOA is calculated using a computerprogram, such as a Maple program. As seen from Table 6, the LKOA and theKOA need more XOR operations. However, the LKOA and the KOA need fewerMULGF2 operations than the standard multiplication. Because theemulation of MULGF2 is very costly, the LKOA and the KOA outperform thestandard multiplication.

[0231] In comparison to other methods, GF(2^(m)) multiplication with theLKOA is more efficient, can be implemented in software in acomputer-based environment, does not require a look-up table, and doesnot have a restriction on the field size m. Although the LKOA mayrequire extra code size, the overall code size is still very reasonable.For example, the code for the particular implementation discussed abovein the C programming language requires at most 5 kbytes.

[0232] A multiplication method using both the LKOA and the KOA forcalculating polynomials in GF(2^(m)) may be implemented in software.Trinomials and pentanomials may be used for the reduction procedure thatfollows multiplication. Table 7 gives the timing results for twoparticular implementations for multiplying GF(2^(m)): (1) the LKOA; and(2) the KOA. TABLE 7 Timing results for GF(2^(m)) multiplication by theKOA and the LKOA Field Size m 163 211 233 283 Field Size in words (n =[m/32])  6  7  8  9 GF(2^(m)) multiplication by KOA 9.2 μs 10.2 μs 10.6μs 18.8 μs GF(2^(m)) multiplication by LKOA 5.0 μs  6.3 μs  6.7 μs 10.3μs

[0233] The multiplication time for the finite fields GF(2¹⁶³), GF(2²¹¹),GF(2²³³), and GF(2²⁸³), which are commonly used in the elliptic curvecryptography, were measured. The particular platform used in themeasurement was a 450-MHZ Pentium II machine with 256 Mbyte RAM. Thetiming results show that the LKOA is nearly two times faster than theKOA for GF(2^(m)) multiplication.

AN EXAMPLE OF MULTIPLICATION USING A NONRECURSIVE ALGORITHM

[0234] The operation of one of the nonrecursive algorithms isillustrated in the following example and in FIGS. 6 through 8. Inparticular, FIGS. 6 through 8 illustrate the operation of the KOA3algorithm by relating it to the recursion tree of FIG. 2. In thisexample, two polynomials “110110” and “100101” (i.e., 1+x+x³+x⁴ and1+x³+x⁵) are multiplied together. Both polynomials comprise threetwo-bit words. Thus, the operand size is n=3, and the word size is w=2.Let a denote 110110 and a[i] denote the ith bit of 110110. Also, let bdenote 100101 and b[i] denote the ith digit of 100101.

[0235] The first process in the KOA3 algorithm is to compute the firstthree leaf-products lp₀, lp₁, and lp₂. In particular, these subproductsare lp₀=11*10=1100, lp₁=01*01=0010, and lp₂=10*01=0100. As shown in Fthese subproducts correspond to branches of the related recursion tree.In particular, lp₀ corresponds to branch 231, lp 1 corresponds tobranches 233 and 236, and ip₂ corresponds to branch 226.

[0236] The second process in the KOA3 algorithm is to compute h fromthese leaf-products according to Equation (23). In particular, h iscomputed as follows:

h[0]:=lp₀[0]

h[i]:=lp _(i)[0]+lp _(i−1)[1]

i=1, . . . , 2

h[3]:=lp₂[1]

[0237]FIG. 6 shows this computation as a weighted sum of word-shiftedversions of the leaf-products.

[0238] The third process in the KOA3 algorithm is to compute the partialresult according to the following weighted sum:

t[0]:=h[0]

t[i]:=t[i−1]+h[i]

for i=1,2

t[5]:=h[3]

t[i]:=t[i+1]+h[i−2]

for i=4,3

[0239]FIG. 7 illustrates this computation as a weighted sum of theindividual words from h combined with previously calculated terms. Forinstance, t[0] is calculated first. Then, t[l] is calculated from h(1]and the previously calculated value of t[0]. Similarly, t[5] iscalculated after t[0] through t[2]. Then, t[4] is calculated as the sumof h[4] and the previously calculated value of t[5]. In this manner, thepartial result is determined by storing and reusing previouslycalculated values, thereby reducing the number of XOR operationsrequired to obtain the partial result.

[0240] The fourth process in the KOA3 algorithm is to determine theremaining leaf-products lp₃, lp₄, and lp₅. In particular, thesesubproducts are lp₃=10*11=1100, lp₄=01*11=0110, and lp₅=11*00 =0000. Asshown in FIG. 8, these subproducts correspond to branches of the relatedrecursion tree. In particular, lp₃ corresponds to branch 232, lp₄corresponds to branch 234, and lp₅ corresponds to branch 235. Note thatlp₅ no longer corresponds precisely to branch 235, but has instead beenmodified through the algebraic substitutions recited above to comprisethe subproduct (a[1]+a[2])(b[1]+b[2]). As more fully discussed above,the algebraic substitutions can performed to maximize the number ofone-word subproducts having weights in the form Σ_(j=0) ^(n−1) z^(i+j)for i=0, . . . , n−1, which can be efficiently calculated.

[0241] The fifth process in the KOA3 algorithm is to update the partialresult with the remaining leaf-products. In particular, this update isperformed as follows:

t[1]:=t[1]+lp ₃[0]

t[2]:=t[2]+lp ₃[1]+lp ₅[0]

t[3]:=t[3]+lp ₅[0]+lp ₅[1]

t[4]:=t[4]+lp ₄[1]

[0242]FIG. 8 illustrates this computation as a weighted sum ofword-shifted versions of the remaining leaf-products. As a result ofthis computation, the final result is obtained. The final result maythen be used as part of a recursive algorithm to compute the product ofoperands having a larger word size.

[0243] Applications of the LKOA

[0244] The methods described above may be used in a variety of differentapplications wherein multiplication of multi-precision numbers isperformed. For example, the methods may be used in a software programthat performs arbitrary-precision arithmetic (e.g., Mathematica) or inother specialized or general-purpose software implementations.Additionally, the methods may be used in the field of cryptography,which often involves the manipulation of large multi-precision numbers.For example, the methods may be used to at least partially perform thecalculation of a variety of different cryptographic parameters. Thesecryptographic parameters may include, for instance, a public key, aprivate key, a ciphertext, a plaintext, a digital signature, or acombination of these parameters. Cryptographic systems that may benefitfrom the disclosed methods and apparatus include, but are not limitedto, systems using the RSA algorithm, the Diffie-Hellman key exchangealgorithm, the Digital Signature Standard (DSS), elliptic curves, theElliptic Curve Digital Signature Algorithm (ECDSA), or other algorithms.

[0245] In one particular implementation, the methods are used, at leastin part, to generate and verify a key pair or to generate and verify asignature according to the ECDSA. For example, the methods may be usedto compute Q=dG during the key pair generation process, wherein Q is apublic key, d is a private key, and G is a base point. Moreover, themethods may be used to verify that nQ=O during the key pair verificationprocess, wherein n is the order of the point G, and O is the point atinfinity of the elliptic curve. Similarly, the methods may be used tocompute kG=(x₁,y₁), wherein k is a random or pseudorandom integer, and(x₁, y₁) are points on an elliptic curve. The methods may similarly beused to calculate the related modular, inverse modular, and hashfunctions during the signature generation and verification processes.

[0246] Any of the methods described above may be implemented in a numberof different hardware and/or software environments. FIG. 11 shows ablock diagram of one exemplary general hardware implementation. Moreparticularly, FIG. 9 shows a multiplying apparatus 900 (e.g., acomputer) that includes a processor 910 (e.g., a microprocessor), memory912 (e.g., RAM or ROM) and an input data path 914. Any one of themultiplication methods described above may be stored in the memory or ona computer-readable medium (e.g., hard disk, CD-ROM, DVD, floppy disk,RAM, ROM) that is separate from the memory 912 and accessible by theprocessor 910 before or during execution of the algorithm. Duringoperation, the input operands (e.g., polynomials) may be supplied viathe input data path 914 or by the memory 912. The processor 910 and thememory 912 are coupled together via the data paths 916, which enable thevarious read and write operations performed during the algorithm. Thefinal product computed by the processor 910 may be output from theprocessor on output data path 916 or stored in the memory 912 for lateruse. The details of this general hardware implementation are omitted.

[0247] As noted, the disclosed methods may be used in cryptography tohelp compute a variety of cryptographic parameters using multi-precisionmultiplication. FIG. 10 shows a block diagram of a general cryptographicapparatus 940 that may be used to multiply two operands to produce acryptographic parameter. The apparatus 940 includes a cryptographicprocessor 950 used to perform the algorithm; memory 952 used to storethe operands, the intermediate results, and computer-executableinstructions for performing the algorithm; and an input data path 954.The apparatus 940 operates much like the apparatus described in FIG. 9,but produces a cryptographic parameter at its output 956. Thecryptographic parameter may be related to or constitute a portion of apublic key, private key, ciphertext, plaintext, digital signature, orsome combination thereof. The parameter may also constitute a number ofother values used in cryptography. The cryptographic apparatus 940 maybe included in a variety of security applications. For instance, theapparatus 940 may be included in a secure transaction server used forfinancial transactions, confidential record storage, SmartCards, andcell phones.

[0248] In view of the many possible implementations, it will berecognized that the illustrated embodiments include only examples andshould not be taken as a limitation on the scope of the disclosedtechnology. Instead, the invention is intended to encompass allalternatives, modifications, and equivalents as may be included withinthe spirit and scope of the technology defined by the following claims.

What is claimed is:
 1. A method of multiplying a first polynomial and asecond polynomial over GF(2^(m)), comprising: representing the firstpolynomial and the second polynomial as an array of n words, wherein nis an integer, using a recursive algorithm to decompose a multiplicationof the first polynomial and the second polynomial into a weighted sum ofiteratively smaller subproducts; and using a nonrecursive algorithm tocomplete the multiplication when a size of the smaller subproducts isless than or equal to a predetermined size, the predetermined size beingat least two words.
 2. The method of claim 1, wherein the predeterminedsize is six words.
 3. The method of claim 1, wherein the recursivemultiplication algorithm is a Karatsuba-Ofman algorithm.
 4. The methodof claim 1, wherein the step of using a nonrecursive multiplicationalgorithm includes the step of excluding pairs of redundant subproducts.5. The method of claim 1, wherein the nonrecursive multiplicationalgorithm stores and reuses previously calculated intermediate values todetermine subsequent intermediate values.
 6. The method of claim 5,wherein the previously calculated intermediate values are used todetermine a weighted sum of subproducts having weights z of the formΣ_(j=0) ^(n−1) z^(i+j) for i=0, . . . , n−1, wherein i and j are indexintegers.
 7. The method of claim 6, wherein the subproducts havingweights of Σ_(j=0) ^(n−1) z^(i+j) for i=0, . . . , n−1 are one-wordsubproducts lp_(i) of a corresponding recursion tree, and the weightedsum of the subproducts is denoted as t, the method further comprising:calculating a (n+1)-word polynomial h from the one-word subproductslp_(i), wherein, h[0]=lp₀[0],h[i]=lp _(i)[0]+lp _(i−1)[1], for i=1,n−m−1,h[n−m]=lp _(n−m−1)[1], where h[i] is the ith word of h and m−1 isa degree of the first polynomial; and calculating a weighted sum t fromwords of h, wherein: t[i]=h[i], for i=0,t[i]=t[i−1]+h[i], for0<i≦n−1,t[i]=h[i−n+1], for i=2n−1,t[i]=t[i+1]+h[i−n+1], for n≦i<2n−1,where t[i] is the ith word of t.
 8. The method of claim 1, wherein atleast one of the first and the second polynomials corresponds to atleast a portion of a private key, and a product of the first polynomialand the second polynomial corresponds to a public key.
 9. The method ofclaim 1, wherein the first polynomial and the second polynomial arecryptographic parameters and the multiplication is associated withsignature generation.
 10. The method of claim 9, wherein the signaturegeneration is associated with an elliptic curve digital signature. 11.The method of claim 1, wherein the first polynomial and the secondpolynomial are associated with cryptographic parameters and themultiplication is associated with signature verification.
 12. The methodof claim 11, wherein the signature verification is associated with anelliptic curve digital signature.
 13. A computer-readable medium,comprising instructions for performing the method of claim
 1. 14. Amethod of multiplying a first polynomial and a second polynomial overGF(2^(m)): representing the first polynomial and the second polynomialas n words, wherein n is an integer greater than one; determining apartial result by calculating a weighted sum of one-word subproductshaving weights z of a form Σ_(j=0) ^(n−1) z^(i+j) for i=0, . . . , n−1,wherein i and j are index integers; and updating the partial result byadding remaining one-word subproducts.
 15. The method of claim 14,further comprising identifying and excluding pairs of redundant one-wordsubproducts.
 16. The method of claim 14, wherein the determining thepartial result comprises: storing intermediate calculations in a memory;and reusing the stored intermediate calculations.
 17. The method ofclaim 14, wherein the one-word subproducts are denoted as leaf-productslp_(i), and the determining the partial result comprises: calculating a(n+1)-word polynomial h from the leaf-products lp_(i), wherein,h[0]=lp₀[0],h[i]=lp _(i)[0]+lp _(i−1)[1], for i=1, . . . ,n−m−1,h[n−m]=lp _(n−m−1)[1], where h[i] is the ith word of h and m−1 isa degree of the first polynomial; and calculating a weighted sum t fromwords of h, wherein: t[i]=h[i], for i=0,t[i]=t[i−1]+h[i], for0<i≦n−1,t[i]=h[i−n+1], for i=2n−1,t[i]=t[i+1]+h[i−n+1], for n≦i<2n−1,where t[i] is the ith word of t.
 18. The method of claim 14, wherein atleast one of the first and the second polynomials is associated with aprivate key, and a product of the first polynomial and the secondpolynomial is associated with a public key.
 19. The method of claim 14,wherein the first polynomial and the second polynomial are cryptographicparameters and the multiplication is associated with signaturegeneration.
 20. The method of claim 19, wherein the signature generationis associated with an elliptic curve digital signature.
 21. The methodof claim 14, wherein the first polynomial and the second polynomial arecryptographic parameters and the multiplication is associated withsignature verification.
 22. The method of claim 21, wherein thesignature verification process is associated with an elliptic curvedigital signature.
 23. A computer-readable medium, comprisinginstructions for performing the method of claim
 14. 24. A method ofdetermining an algorithm for multiplying a first polynomial and a secondpolynomial over GF(2^(m)): decomposing a product of the first polynomialand the second polynomial into a weighted sum of one-word subproducts;identifying pairs of redundant one-word subproducts; and removing thepairs of redundant one-word subproducts from the weighted sum, therebyobtaining a revised weighted sum.
 25. The method of claim 24, whereinthe first polynomial and the second polynomial have n−1 words, where nis an even integer, and wherein the first and the second polynomials arepadded with zeros such that the first polynomial and the secondpolynomial can be represented as n words.
 26. The method of claim 24,wherein the zero-padded words of the first and the second polynomialsare excluded from the revised weighted sum.
 27. The method of claim 24,further comprising identifying the one-word subproducts having weights zof a form Σ_(j=0) ^(n−1) z^(i+j) for i=0, . . . , n−1 through algebraicsubstitutions, wherein i and j are index integers, and n is a number ofwords in the first and second polynomials.
 28. The method of claim 27,further comprising calculating a weighted sum of the one-wordsubproducts having weights of Σ_(j=0) ^(n−1) z^(i+j) for i=0, . . . ,n−1 by storing and reusing intermediate calculations.
 29. A nonrecursivealgorithm determined by the method of claim
 24. 30. A computer-readablemedium, comprising instructions for performing the nonrecursivealgorithm of claim
 24. 31. A cryptographic method, comprising: receivinga first operand and a second operand, the first operand and the secondoperand representing a first polynomial over GF(2^(m)) and a secondpolynomial over GF(2^(m)); multiplying the first operand and the secondoperand in a multiplication process, the multiplication processcomprising: using a recursive algorithm to reduce the multiplication ofthe first operand and the second operand into a weighted sum of smallersubproducts; and using a nonrecursive algorithm to multiply the smallersubproducts when a size of the smaller subproducts is less than or equalto a predetermined size, the predetermined size being at least twowords; and outputting a cryptographic parameter associated with themultiplication.
 32. The method of claim 31, wherein the predeterminedsize is six words.
 33. The method of claim 31, wherein the recursivemultiplication algorithm is a Karatsuba-Ofman algorithm.
 34. The methodof claim 31, wherein the nonrecursive multiplication algorithm excludespairs of redundant subproducts.
 35. The method of claim 31, wherein thenonrecursive multiplication algorithm uses previously calculated, storedweighted sums to determine subsequent weighted sums.
 36. The method ofclaim 31, wherein at least one of the operands corresponds to a privatekey, and the cryptographic parameter is a public key.
 37. The method ofclaim 31, wherein the cryptographic parameter is used in digitalsignature generation or digital signature verification.
 38. The methodof claim 37, wherein the signature generation is associated with anelliptic curve digital signature.
 39. An apparatus for multiplying afirst polynomial and a second polynomial over GF(2^(m)), comprising:means for receiving the first polynomial and the second polynomial;means for storing the first polynomial and the second polynomial as aseries of words; means for recursively multiplying the first polynomialand the second polynomial by dividing the stored first and secondpolynomials into multiple smaller subproducts until an input size of thesubproducts is less than a predetermined size; means for nonrecursivelymultiplying the subproducts when the size of the inputs is less than thepredetermined size, the predetermined size being at least two words;means for outputting the product of the first polynomial and the secondpolynomial.